Operator Console and Safety Gates

Why a separate operator role

The firm runs on separation of duties. Any founder can upload material, browse the corpus, review evidence claims, ask the internal Oracle, and read everything the firm publishes. A small number of actions are concentrated in the operator role for three reasons.

• Real-world consequences. Publishing and trading touch the world outside the firm. Each of those gates wants a single accountable actor.
• Cryptographic signing. The firm signs its public publications and its quarterly review with private keys. Those keys live with the operator role, not in the web app, so signing is an explicit human action.
• Concentration of risk. Kill switches and live-bet authorization can lose money. They live on the surface that gets reviewed most carefully.

The publication review queue

The publication queue is the gate before any conclusion or article goes public. Each queue item carries a checklist: meta-analysis OK (the methodology profile has been read), adversarial engaged OK (the strongest objection has been reviewed, not just produced), clarity OK (readable to a smart outsider), and no leakage OK (the conclusion does not expose private material). Approving the item mints a permanent public version and the workshop's ledger writes a cryptographic signature attached to the canonical hash. The Codex stores the signature; the signing keys never live inside the website.

The quarterly methodology review week

Once a quarter, the operator walks the firm's recent work and writes a structured account of what the firm learned. Each day's draft is summarized by the workshop, then edited and signed by the operator. Once a day is signed cryptographically, the row becomes immutable. To revise after signing, the operator must clear the signature first, which is itself an audited event.

The history page shows every prior week's signed daily summaries. This is the firm's durable record of methodological self-assessment.

Kill switches

There is no global kill switch. There are several precise ones, and that is deliberate.

• Currents ingestion off — the next scheduler cycle writes no new events. Existing opinions stay up.
• Articles dispatcher off — existing articles stay up; no new ones are clustered or written.
• Master live-trading off — the platform-wide live-bet flag. Setting it off refuses every downstream submit.
• Per-submit kill switch — re-checked immediately before each order placement; trips even bets that already passed operator confirmation.

Deletion versus retraction

Two adjacent flows. Understanding the difference matters because they leave very different audit trails.

• Deletion is removal of source material. The upload is soft-deleted, derived bridge rows are hard-deleted, and any conclusion left with zero sources is then hard-deleted. The public surface stops resolving the affected rows. Used for legal, compliance, or subject-request reasons.
• Retraction is removal of a published output. The retraction is itself a published artifact: it creates a new public version that retracts the previous one, leaving an audit trail. Used for an article or conclusion the firm no longer endorses.

The reason for the ceremony

It is fair to ask why the firm builds in so many gates, queues, and signatures when most days nothing goes wrong. The answer is the one that animates the whole platform: the product is the recorded reasoning, not the opinions. That product is only worth anything if a later reviewer can inspect the record and trust what they see. Publication review, signing, source-standing triage, deletion-versus-retraction, kill switches, live-bet gates — all of it exists so the record is trustworthy when it matters most.

Related public routes

• /methodology
  Methodology

  The reviewed methods that pass through these gates.

• /proof/calibration
  Calibration

  The public manifest the firm grades itself on.

• /about
  About

  Why the firm is structured this way.