Dashboard route, forms, queries, mutations, and region patches are served by B8Grid Framework.
B8Grid Local Private Beta
Control Cloud dashboard running on B8Grid Framework
Agent-native cloud control for humans and agents. Cloud Control remains the authority for projects, source, workspaces, builds, previews, secrets, database metadata, and audit evidence. The dashboard reads and mutates through @b8grid/framework plus @b8grid/data.
Statusready
Organizations0
Projects0
Source projects0
Workspaces0
Builds0
Secrets0
Audit events0
Dashboard events and invalidation contracts use B8Grid Data; durable control state remains Cloud Control.
Postgres details are metadata only; credentials stay in Cloud Trust secret grants.
Local beta keeps public exposure disabled and does not claim hosted promotion.
Database Control
Database resource registry, private network placement, migration status, backup/restore controls, and grants without raw credentials.
Database resource registry
b8grid-cloud-control-database-control-v6no-raw-credentials-in-uiOperator wave
b8grid-cloud-control-operator-wave-v7shellCommandsInDashboard: falseEnginepostgres
Servicepostgres
Private hostpostgres:5432
Network zonedata_net
Publicly reachablefalse
Credential storagecloud-trust-secret-grants
Dashboard exposuremetadata-only
Source of truthcloud-control-service-store
Dashboard storeb8grid-data-ui-reactive-layer
| resourceId | engine | serviceName | privateHostname | networkZone | migrationStatus | backupStatus | restoreStatus | publicReachable |
|---|---|---|---|---|---|---|---|---|
| postgres-local-private-beta | postgres | postgres | postgres:5432 | data_net | local-migration-gate-ready | local-restore-drill-ready | checksum-manifest-and-restore-time-contract | false |
| id | label | state | command | detail |
|---|---|---|---|---|
| migration-status | Migration status | ready | corepack pnpm --silent local:ops:migrations:status --json | Reads migration status from the local Cloud Control migration gate before deployment. |
| backup-restore | Backup/restore | ready | corepack pnpm --silent local:ops:backup --json | Runs backup/restore drill evidence without exposing database passwords. |
| connection-grants | Connection grants | ready | corepack pnpm --silent local:security-spine:v4 --json | Issues database access through Cloud Trust grants instead of raw connection strings. |
| grantId | principal | resourceId | actions | status | rawCredentialExposed |
|---|---|---|---|---|---|
| grant:database:cloud-control | service:cloud-control | postgres-local-private-beta | connect,migrate,backup | active-contract | false |
| grant:database:source-graph-cloud | service:source-graph-cloud | postgres-local-private-beta | connect,query | active-contract | false |
| id | label | state | executionMode | command | detail |
|---|---|---|---|---|---|
| database.migrationStatus | Migration check | ready | local-proof-command | corepack pnpm --silent local:ops:migrations:status --json | Records that the local migration gate has been requested from the dashboard. |
| database.backupDrill | Backup drill | ready | local-proof-command | corepack pnpm --silent local:ops:backup --json | Records that the backup/restore drill should be run from the local operator workbench. |
| database.createGrant | Create DB grant | service-backed | service-backed | cloud.dashboard.databaseCreateGrant | Creates a Cloud Trust grant for Postgres access without returning a raw connection string. |
| database.revokeGrant | Revoke DB grant | service-backed | service-backed | cloud.dashboard.databaseRevokeGrant | Revokes an existing Cloud Trust grant and records a grant.revoke audit event. |
Auth Control
Auth is modeled for open beta with a removable private-beta admission gate, verified email, sessions, MFA, passkeys, reset flow status, and audit evidence.
Signup admission
b8grid-cloud-control-auth-control-v6allowlist -> open-signupDefault modeallowlist
Open modeopen-signup
Allowlist sourceB8GRID_AUTH_ALLOWLIST_EMAILS
Removable gatetrue
Verified emailtrue
External userstrue
Auth V9b8grid-local-auth-private-beta-v9
Token materialfalse
hostedGafalse
Provider credential preflight
b8grid-auth-provider-credential-preflight-v1readyForHostedProviderDrill: falseLive provider credentialsfalse
Token materialfalse
Hosted provider drill
b8grid-auth-hosted-provider-drill-manifest-v1readyForHostedProviderDrill: falsePublic drill manifesthosted-auth-provider-drill-manifest-v1
OAuth callback routeb8grid-auth-oauth-callback-route-contract-v1
Callback path/.b8grid/auth/oauth/:provider/callback
Live drill contractb8grid-hosted-provider-live-drill-v16
Provider secretsfalse
External identity providersfalse
Hosted WebAuthn attestationfalse
Hosted TOTP KMS lifecyclefalse
Token materialfalse
hostedGafalse
| id | state | boundary |
|---|---|---|
| email-password | ready | B8Grid-owned hash/session contract |
| passkey | adapter-ready | B8Grid verifier/storage contract; hosted WebAuthn attestation still gated |
| email-code-magic-link | contract-ready | B8Grid email relay contract with local fake SMTP and optional SES/SMTP adapters |
| oidc-social | adapter-contract | OIDC adapter contract for Google, GitHub, and Microsoft |
| id | state | detail |
|---|---|---|
| private-beta-v9 | ready | Runs the V9 private-beta auth gate for allowlist/open admission, auth flows, local MFA, passkey adapter, abuse evidence, and token redaction. |
| session-device-view | ready | Shows issued, refreshed, revoked, and project-bound Cloud Trust sessions without returning tokens. |
| mfa-passkey-status | local-ready | Tracks TOTP, backup-code, and passkey adapter readiness while keeping hosted WebAuthn claims explicit. |
| password-reset-flow-status | contract-ready | Records password reset flow status as a local auth contract; email delivery remains adapter-driven. |
| suspicious-login-rate-limit-evidence | ready | Keeps suspicious-login and rate-limit evidence queryable for private beta security review. |
| id | kind | state | requiredRefs | missingRefs | unsafeDirectValueRefs |
|---|---|---|---|---|---|
| office365-smtp | missing-managed-ref | B8GRID_EMAIL_RELAY_SMTP_URL_REF, B8GRID_EMAIL_RELAY_SMTP_FROM_REF | B8GRID_EMAIL_RELAY_SMTP_URL_REF, B8GRID_EMAIL_RELAY_SMTP_FROM_REF | none | |
| ses | missing-managed-ref | B8GRID_EMAIL_RELAY_SES_REGION_REF, B8GRID_EMAIL_RELAY_SES_IDENTITY_REF | B8GRID_EMAIL_RELAY_SES_REGION_REF, B8GRID_EMAIL_RELAY_SES_IDENTITY_REF | none | |
| github-oauth | oauth | missing-managed-ref | B8GRID_AUTH_GITHUB_CLIENT_ID_REF, B8GRID_AUTH_GITHUB_CLIENT_SECRET_REF | B8GRID_AUTH_GITHUB_CLIENT_ID_REF, B8GRID_AUTH_GITHUB_CLIENT_SECRET_REF | none |
| google-oidc | oauth | missing-managed-ref | B8GRID_AUTH_GOOGLE_CLIENT_ID_REF, B8GRID_AUTH_GOOGLE_CLIENT_SECRET_REF, B8GRID_AUTH_GOOGLE_JWKS_REF | B8GRID_AUTH_GOOGLE_CLIENT_ID_REF, B8GRID_AUTH_GOOGLE_CLIENT_SECRET_REF, B8GRID_AUTH_GOOGLE_JWKS_REF | none |
| microsoft-oidc | oauth | missing-managed-ref | B8GRID_AUTH_MICROSOFT_CLIENT_ID_REF, B8GRID_AUTH_MICROSOFT_CLIENT_SECRET_REF, B8GRID_AUTH_MICROSOFT_JWKS_REF | B8GRID_AUTH_MICROSOFT_CLIENT_ID_REF, B8GRID_AUTH_MICROSOFT_CLIENT_SECRET_REF, B8GRID_AUTH_MICROSOFT_JWKS_REF | none |
| provider | path | url | requiredRefs | state |
|---|---|---|---|---|
| github | /.b8grid/auth/oauth/github/callback | https://beta.b8grid.xyz/.b8grid/auth/oauth/github/callback | B8GRID_AUTH_GITHUB_CLIENT_ID_REF, B8GRID_AUTH_GITHUB_CLIENT_SECRET_REF | managed-provider-callback-required |
| /.b8grid/auth/oauth/google/callback | https://beta.b8grid.xyz/.b8grid/auth/oauth/google/callback | B8GRID_AUTH_GOOGLE_CLIENT_ID_REF, B8GRID_AUTH_GOOGLE_CLIENT_SECRET_REF, B8GRID_AUTH_GOOGLE_JWKS_REF | managed-provider-callback-required | |
| microsoft | /.b8grid/auth/oauth/microsoft/callback | https://beta.b8grid.xyz/.b8grid/auth/oauth/microsoft/callback | B8GRID_AUTH_MICROSOFT_CLIENT_ID_REF, B8GRID_AUTH_MICROSOFT_CLIENT_SECRET_REF, B8GRID_AUTH_MICROSOFT_JWKS_REF | managed-provider-callback-required |
| provider | test | requiredRefs | state |
|---|---|---|---|
| office365-smtp | send password reset challenge through SMTP relay adapter | B8GRID_EMAIL_RELAY_SMTP_URL_REF, B8GRID_EMAIL_RELAY_SMTP_FROM_REF | managed-refs-missing |
| ses | send password reset challenge through SES relay adapter | B8GRID_EMAIL_RELAY_SES_REGION_REF, B8GRID_EMAIL_RELAY_SES_IDENTITY_REF | managed-refs-missing |
| artifact | state |
|---|---|
| hosted-provider-callback-audit | required-sanitized-evidence |
| hosted-provider-token-validation-fixtures | required-sanitized-evidence |
| hosted-email-deliverability-bounce-complaint-outage-drill | required-sanitized-evidence |
| hosted-webauthn-browser-attestation | required-sanitized-evidence |
| hosted-encrypted-totp-secret-kms-lifecycle | required-sanitized-evidence |
| blocker |
|---|
| missing managed ref: B8GRID_EMAIL_RELAY_SMTP_URL_REF |
| missing managed ref: B8GRID_EMAIL_RELAY_SMTP_FROM_REF |
| missing managed ref: B8GRID_EMAIL_RELAY_SES_REGION_REF |
| missing managed ref: B8GRID_EMAIL_RELAY_SES_IDENTITY_REF |
| missing managed ref: B8GRID_AUTH_GITHUB_CLIENT_ID_REF |
| missing managed ref: B8GRID_AUTH_GITHUB_CLIENT_SECRET_REF |
| missing managed ref: B8GRID_AUTH_GOOGLE_CLIENT_ID_REF |
| missing managed ref: B8GRID_AUTH_GOOGLE_CLIENT_SECRET_REF |
| missing managed ref: B8GRID_AUTH_GOOGLE_JWKS_REF |
| missing managed ref: B8GRID_AUTH_MICROSOFT_CLIENT_ID_REF |
| missing managed ref: B8GRID_AUTH_MICROSOFT_CLIENT_SECRET_REF |
| missing managed ref: B8GRID_AUTH_MICROSOFT_JWKS_REF |
| id | source | events | redacted |
|---|---|---|---|
| auth-audit-stream | cloud-trust-session-audit | 0 | true |
| suspicious-login-rate-limit-evidence | local-auth-private-beta-v9 | 0 | true |
| id | label | state | executionMode | command | detail |
|---|---|---|---|---|---|
| auth.viewSessions | View sessions | ready | framework-data-backed | cloud.dashboard.auth.sessions | Shows session/device evidence as redacted metadata and never returns raw session tokens. |
| auth.switchAdmissionMode | Switch admission | ready | framework-data-backed | cloud.dashboard.auth.admission | Switches the removable signup admission gate between allowlist and open modes. |
| auth.runPrivateBetaV9 | Auth private beta V9 | ready | local-proof-command | corepack pnpm --silent local:auth-private-beta:v9 --json | Runs b8grid-local-auth-private-beta-v9 for the complete local private-beta auth readiness contract. |
| auth.runPrivateBetaV11 | Auth private beta V11 | ready | local-proof-command | corepack pnpm --silent local:auth-private-beta:v11 --json | Runs b8grid-local-auth-private-beta-v11 for email OTP, local auth hardening, abuse evidence, and token-free private-beta auth completion. |
| auth.runPrivateBetaV12 | Auth private beta V12 | ready | local-proof-command | corepack pnpm --silent local:auth-private-beta:v12 --json | Runs b8grid-local-auth-private-beta-v12 for password reset, MFA/passkey/session/device status, abuse limits, email relay, and leak-scan evidence. |
| auth.runHostedProviderLiveDrillV16 | Hosted provider live drill V16 | evidence-required | owner-supplied-live-evidence | corepack pnpm --silent local:hosted-provider-live-drill:v16 -- --public-url https://<beta-domain> --evidence <sanitized-provider-evidence.json> --json | Template: corepack pnpm --silent local:hosted-provider-live-drill:v16 -- --template --public-url https://<beta-domain> > sanitized-provider-evidence.json. Dr... |
| auth.runHardening | Auth hardening | ready | local-proof-command | corepack pnpm --silent local:auth-hardening:v4 --json | Runs the private-beta auth hardening proof for MFA, reset, lockout, and abuse evidence. |
Security Workbench
Local-first checks for dependency/security scanning, auth abuse, access-control abuse, Docker isolation, and secret leakage.
Local security gate
b8grid-cloud-control-security-workbench-v6publicInternet: falseLocal onlytrue
hostedGafalse
External pentestfalse
Destructive pentestfalse
Raw credentials outputfalse
| id | state | ready | command | detail |
|---|---|---|---|---|
| dependency-security-scan | ready | true | corepack pnpm --silent local:supply-sandbox:v4 --json | Local SBOM, dependency, license, lifecycle-script, image provenance, and runtime sandbox evidence. |
| auth-abuse-tests | ready | true | corepack pnpm --silent local:auth-hardening:v4 --json | Local auth abuse evidence for MFA, backup codes, revocation, lockout, and suspicious login audit. |
| wrong-user-wrong-org-wrong-project-tests | ready | true | corepack pnpm --filter @b8grid/cloud-control test | Wrong actor, wrong project, wrong org, signed session, and Cloud Trust boundary tests. |
| docker-network-isolation-proofs | ready | true | corepack pnpm --silent local:service-images:v3:live --json | Docker network isolation proof that only ingress publishes a host port and data_net stays private. |
| secrets-in-logs-image-checks | ready | true | corepack pnpm --silent local:secrets --json | Scans compose, env, image metadata, and proof outputs for secret-shaped material. |
| id | label | state | executionMode | command | detail |
|---|---|---|---|---|---|
| network.runIsolationProof | Network proof | ready | local-proof-command | corepack pnpm --silent local:cluster:v2 --json | Runs public/control/source/data/ops network isolation proof with Postgres private. |
| trust.runSecuritySpine | Trust spine | ready | local-proof-command | corepack pnpm --silent local:security-spine:v4 --json | Runs local CA, service cert, mTLS, KMS envelope, grant, and redaction proof. |
| ops.runObservability | Ops proof | ready | local-proof-command | corepack pnpm --silent local:ops-observability:v4 -- --mode offline --json | Runs logs, metrics, traces, audit search, health timeline, incident, and restore evidence. |
| ops.runObservabilityV5 | Ops observability V5 | ready | local-proof-command | corepack pnpm --silent local:ops-observability:v5 -- --mode offline --json | Runs b8grid-local-ops-observability-v5 for audit search, health timeline, alert rules, incident snapshots, and sanitized artifact scans. |
| ops.runRecoveryV5 | Ops recovery V5 | ready | local-proof-command | corepack pnpm --silent local:ops-recovery:v5 -- --mode offline --json | Runs b8grid-local-ops-recovery-v5 for restore history, recovery runbook, upgrade/rollback evidence, and sanitized artifact scans. |
| security.runWorkbench | Security workbench | ready | local-proof-command | corepack pnpm --silent local:security-workbench:v6 --json | Runs the local security workbench gate for dependencies, auth abuse, isolation, and secret leaks. |
| security.runWorkbenchV7 | Security workbench V7 | ready | local-proof-command | corepack pnpm --silent local:security-workbench:v7 --json | Runs b8grid-local-security-workbench-v7 with Auth V12 attack-path mapping and proof-output leak scanning. |
Organizations
Bootstrap local projects through the framework mutation path. The signed actor must match the owner field.
| projectId | organizationId | name |
|---|---|---|
No projects yet. | ||
Secrets
Secret mutations write through Cloud Trust and return redacted metadata only.
| projectId | environmentId | name | version | active | class |
|---|---|---|---|---|---|
No secrets yet. | |||||
Source Graph
Source Graph remains the first product surface. Cloud Control mediates project, workspace, and source authorization.
| projectId | name | remoteId | productionReadiness |
|---|---|---|---|
No Source Graph projects yet. | |||
| workspaceId | projectId | name | productionReadiness |
|---|---|---|---|
No workspaces yet. | |||
| id | label | state | executionMode | command | detail |
|---|---|---|---|---|---|
| sourceGraph.runPrivateBetaV10 | Source Graph V10 | ready | local-proof-command | corepack pnpm --silent local:source-graph-private-beta:v10 --json | Emits b8grid-local-source-graph-private-beta-v10 by proving auth-session exchange, real /source app rendering, metadata-safe query output, and customizable U... |
| sourceGraph.runPrivateBetaV12 | Source Graph V12 | ready | local-proof-command | corepack pnpm --silent local:source-graph-private-beta:v12 --json | Emits b8grid-local-source-graph-private-beta-v12 for project/repository/workspace/review/readiness UX, metadata-safe APIs, and future-customizable UI slots. |
| sourceGraph.runPrivateBetaV27 | Source Graph first-friend V27 | ready | local-proof-command | corepack pnpm --silent local:source-graph-private-beta:v27 --json | Emits b8grid-local-source-graph-private-beta-v27 for allowlist, signup/login, signed CLI installer, CLI session exchange, project bootstrap, commit/push, UI ... |
| sourceGraph.runAuthUxV28 | Source Graph auth UX V28 | ready | local-proof-command | corepack pnpm --silent local:source-graph-auth-ux:v28 --json | Emits b8grid-local-source-graph-auth-ux-v28 for password credential setup, password login, password reset consume, passkey registration/authentication, devic... |
| sourceGraph.runCliBrowserLoginV29 | Source Graph CLI browser login V29 | ready | local-proof-command | corepack pnpm --silent local:source-graph-cli-browser-login:v29 --json | Emits source-graph-cli-browser-login-v29 for challenge start, browser sign-in approval, shared signed Auth Control cookie, CLI polling, and one-time scoped C... |
| sourceGraph.runFriendInstall003 | Source Graph friend install v0.0.3 | ready | local-proof-command | corepack pnpm --silent local:source-graph-friend-install:v0.0.3 --json | Emits source-graph-friend-install-smoke-v0.0.3 by proving the public manifest, PowerShell installer, shell installer, and detached signature download without... |
| sourceGraph.runFriendInstallExecution003 | Source Graph install execution v0.0.3 | ready | local-proof-command | corepack pnpm --silent local:source-graph-friend-install-execution:v0.0.3 --json | Emits source-graph-friend-install-execution-v0.0.3 by executing the public PowerShell installer into an isolated temporary directory, verifying the installed... |
Hosted Beta Handoff
Provider-independent remote-host handoff for moving from laptop Docker plus relay to a real private-beta host without bundling local secret values.
Remote host handoff
b8grid-cloud-control-hosted-beta-handoff-v1remoteLiveReady: falseRemote deploy contract
b8grid-remote-private-beta-host-handoff-v1liveRemoteHostReady: falseRemote bundle contract
b8grid-remote-private-beta-handoff-bundle-v14requiredForInstallerEndpoints: trueProduction gateb8grid-local-production-hosting-v13
Bundle root/opt/b8grid/private-beta
CLI release envB8GRID_SOURCE_GRAPH_CLI_RELEASE_ROOT
CLI release default sourceartifacts/source-graph-cli/windows-x64/release/source-graph
CLI release remote path/opt/b8grid/private-beta/artifacts/source-graph-cli/windows-x64/release/source-graph
CLI compose mount/app/artifacts/source-graph-cli/windows-x64/release/source-graph:ro
Target stageremote-private-beta
Target regionap-south-1
Target profilepublic-private-beta
Remote env path/opt/b8grid/private-beta/.env
Env templateinfra/local/.env.example
Remote health markersremoteHealthMarkers: true
Remote env template proofremoteEnvTemplate: true
CLI release proofreleaseArtifacts: true
Promotion live gatecorepack pnpm --silent local:public-private-beta:live --json --promotion-evidence-packet sanitized-promotion-evidence.json
Local secret bundleincludeLocalSecretsInBundle: false
Secret materialsecretMaterialIncluded: false
hostedGafalse
publicInternetfalse
| id | path |
|---|---|
| compose-1 | infra/local/docker-compose.yml |
| compose-2 | infra/local/docker-compose.production-like-v1.yml |
| compose-3 | infra/local/docker-compose.public-private-beta.yml |
| name | state |
|---|---|
| B8GRID_LOCAL_POSTGRES_DB | required-on-remote-host |
| B8GRID_LOCAL_POSTGRES_USER | required-on-remote-host |
| B8GRID_LOCAL_POSTGRES_PASSWORD | required-on-remote-host |
| B8GRID_SOURCE_GRAPH_CLOUD_POSTGRES_URL | required-on-remote-host |
| B8GRID_LOCAL_SOURCE_GRAPH_TENANT | required-on-remote-host |
| B8GRID_LOCAL_SOURCE_GRAPH_PROJECT | required-on-remote-host |
| B8GRID_LOCAL_SOURCE_GRAPH_TOKEN_SECRET | required-on-remote-host |
| B8X_CLOUD_SESSION_SECRET | required-on-remote-host |
| B8GRID_PUBLIC_PRIVATE_BETA_URL | required-on-remote-host |
| B8GRID_PUBLIC_PRIVATE_BETA_PUBLIC_REACHABILITY | required-on-remote-host |
| B8GRID_REMOTE_PRIVATE_BETA_HOST_MODE | required-on-remote-host |
| path | state |
|---|---|
| cli/manifest.json | required-for-public-installer-endpoints |
| cli/latest/windows-x64/sha256.txt | required-for-public-installer-endpoints |
| cli/signing/b8grid-release-signing-public.xml | required-for-public-installer-endpoints |
| install.ps1 | required-for-public-installer-endpoints |
| install.sh | required-for-public-installer-endpoints |
| id | state |
|---|---|
| aws-ec2-ap-south-1 | recommended-beta-default |
| aws-ec2-ap-south-2 | supported-handoff-target |
| oci-bare-metal-india | supported-handoff-target |
| gcp-sole-tenant-india | supported-handoff-target |
| operator-owned-server | supported-handoff-target |
| id | requirement |
|---|---|
| host-requirement-1 | Ubuntu 24.04 LTS or compatible Linux host |
| host-requirement-2 | Docker Engine with Compose plugin |
| host-requirement-3 | SSH access for the deploy operator |
| host-requirement-4 | public DNS/TLS endpoint owned by the operator |
| host-requirement-5 | persistent volume path for Postgres and release evidence |
| host-requirement-6 | firewall exposing only HTTP/HTTPS ingress |
| id | command | state |
|---|---|---|
| prepare | ssh <remote-host> 'sudo mkdir -p /opt/b8grid/private-beta /opt/b8grid/private-beta/artifacts/source-graph-cli/windows-x64/release/source-graph && sudo chown ... | operator-run-on-remote-host |
| upload-compose-bundle | rsync -av --relative package.json pnpm-lock.yaml infra/local/docker-compose.yml infra/local/docker-compose.production-like-v1.yml infra/local/docker-compose.... | no-local-secret-values |
| upload-runtime-bundle | rsync -av --relative packages scripts docs <remote-host>:/opt/b8grid/private-beta/ | no-local-secret-values |
| upload-cli-release-artifacts | rsync -av "${B8GRID_SOURCE_GRAPH_CLI_RELEASE_ROOT:-artifacts/source-graph-cli/windows-x64/release/source-graph/}" <remote-host>:/opt/b8grid/private-beta/arti... | required-for-installer-endpoints |
| preflight-remote-host-v19 | corepack pnpm --silent local:remote-private-beta-host-preflight:v19 -- --bundle-root . --artifact-root ${B8GRID_SOURCE_GRAPH_CLI_RELEASE_ROOT:-artifacts/sour... | b8grid-remote-private-beta-host-preflight-v19 |
| start | ssh <remote-host> 'cd /opt/b8grid/private-beta && docker compose --env-file /opt/b8grid/private-beta/.env -f infra/local/docker-compose.yml -f infra/local/do... | build-and-start-on-remote-host |
| verify | corepack pnpm --silent local:production-hosting:v13 --json --dashboard-base-url https://<remote-host-or-domain> --allow-public-dashboard | owner-authorized-public-dashboard-probe |
| verify-remote-host-v15 | corepack pnpm --silent local:remote-private-beta-host:v15 -- --public-url https://<remote-host-or-domain> --json | b8grid-remote-private-beta-host-v15 |
| capture-remote-host-evidence-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --remote-host-url https://<remote-host-or-domain> --capture-... | writes-sanitized-remote-host-verification |
| template-external-pentest-report-v17 | corepack pnpm --silent local:external-pentest-report:v17 -- --template --public-url https://<beta-domain> > sanitized-external-pentest-report.json | b8grid-external-pentest-report-v1 |
| write-evidence-handoff-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --remote-host-url https://<remote-host-or-domain> --write-di... | b8grid-private-beta-evidence-handoff-kit-v20 |
| write-partial-evidence-handoff-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --write-dir ./.b8x/private-beta-evidence-kit --json | provider-and-pentest-evidence-before-remote-host |
| draft-provider-evidence-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --draft-provider-evidence ./.b8x/private-beta-evidence-kit -... | writes-sanitized-provider-draft-from-public-readiness |
| validate-evidence-handoff-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --validate-dir ./.b8x/private-beta-evidence-kit --json | checks-provider-and-pentest-evidence-before-promotion |
| status-evidence-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --remote-host-url https://<remote-host-or-domain> --status-d... | reports-valid-missing-and-assembly-ready-evidence |
| capture-remote-host-preflight-evidence-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --capture-remote-host-preflight ./.b8x/private-beta-evidence-kit --public-url https://<beta-dom... | writes-sanitized-remote-host-preflight |
| capture-provider-evidence-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --provider-evidence sanitized-provider-evidence.json --captu... | writes-verified-sanitized-provider-evidence |
| capture-external-pentest-evidence-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --external-pentest-report sanitized-external-pentest-report.... | writes-verified-sanitized-pentest-evidence |
| assemble-promotion-evidence-kit-v20 | corepack pnpm --silent local:private-beta-evidence-kit:v20 -- --public-url https://<beta-domain> --remote-host-url https://<remote-host-or-domain> --assemble... | writes-sanitized-promotion-evidence-packet |
| verify-external-pentest-report-v17 | corepack pnpm --silent local:external-pentest-report:v17 -- --public-url https://<beta-domain> --report sanitized-external-pentest-report.json --json | requires-sanitized-attacker-box-report |
| template-promotion-evidence-v18 | corepack pnpm --silent local:private-beta-promotion-evidence:v18 -- --template --public-url https://<beta-domain> --remote-host-url https://<remote-host-or-d... | b8grid-private-beta-promotion-evidence-packet-v1 |
| verify-promotion-evidence-v18 | corepack pnpm --silent local:private-beta-promotion-evidence:v18 -- --public-url https://<beta-domain> --packet sanitized-promotion-evidence.json --json | requires-remote-host-provider-and-pentest-evidence |
| clear-promotion-blockers | corepack pnpm --silent local:public-private-beta:live --json --promotion-evidence-packet sanitized-promotion-evidence.json | requires-verified-promotion-evidence-packet |
| clear-promotion-blockers-individual | corepack pnpm --silent local:public-private-beta:live --json --remote-host-url https://<remote-host-or-domain> --provider-evidence sanitized-provider-evidenc... | legacy-individual-evidence-path |
| id | step |
|---|---|
| build-signed-images | build signed images |
| generate-remote-env | generate remote private-beta env on the host |
| copy-compose-bundle | copy compose bundle to host without local secret values |
| provision-network | provision private network |
| restore-postgres | restore or initialize Postgres volume |
| enable-https | enable HTTPS ingress |
| verify-remote-dashboard | run local:production-hosting:v13 against the remote dashboard URL after owner authorization |
Operations
Framework mutations emit B8Grid Data invalidations and patch this region without returning a full document.
Operator readiness
b8grid-cloud-control-operator-wave-v7rawCredentialsInOutput: falseShell in dashboardfalse
Destructive opsfalse
Local onlytrue
Public internetfalse
| id | label | state | executionMode | command | detail |
|---|---|---|---|---|---|
| database.migrationStatus | Migration check | ready | local-proof-command | corepack pnpm --silent local:ops:migrations:status --json | Records that the local migration gate has been requested from the dashboard. |
| database.backupDrill | Backup drill | ready | local-proof-command | corepack pnpm --silent local:ops:backup --json | Records that the backup/restore drill should be run from the local operator workbench. |
| database.createGrant | Create DB grant | service-backed | service-backed | cloud.dashboard.databaseCreateGrant | Creates a Cloud Trust grant for Postgres access without returning a raw connection string. |
| database.revokeGrant | Revoke DB grant | service-backed | service-backed | cloud.dashboard.databaseRevokeGrant | Revokes an existing Cloud Trust grant and records a grant.revoke audit event. |
| auth.viewSessions | View sessions | ready | framework-data-backed | cloud.dashboard.auth.sessions | Shows session/device evidence as redacted metadata and never returns raw session tokens. |
| auth.switchAdmissionMode | Switch admission | ready | framework-data-backed | cloud.dashboard.auth.admission | Switches the removable signup admission gate between allowlist and open modes. |
| auth.runPrivateBetaV9 | Auth private beta V9 | ready | local-proof-command | corepack pnpm --silent local:auth-private-beta:v9 --json | Runs b8grid-local-auth-private-beta-v9 for the complete local private-beta auth readiness contract. |
| auth.runPrivateBetaV11 | Auth private beta V11 | ready | local-proof-command | corepack pnpm --silent local:auth-private-beta:v11 --json | Runs b8grid-local-auth-private-beta-v11 for email OTP, local auth hardening, abuse evidence, and token-free private-beta auth completion. |
| auth.runPrivateBetaV12 | Auth private beta V12 | ready | local-proof-command | corepack pnpm --silent local:auth-private-beta:v12 --json | Runs b8grid-local-auth-private-beta-v12 for password reset, MFA/passkey/session/device status, abuse limits, email relay, and leak-scan evidence. |
| auth.runHostedProviderLiveDrillV16 | Hosted provider live drill V16 | evidence-required | owner-supplied-live-evidence | corepack pnpm --silent local:hosted-provider-live-drill:v16 -- --public-url https://<beta-domain> --evidence <sanitized-provider-evidence.json> --json | Template: corepack pnpm --silent local:hosted-provider-live-drill:v16 -- --template --public-url https://<beta-domain> > sanitized-provider-evidence.json. Dr... |
| auth.runHardening | Auth hardening | ready | local-proof-command | corepack pnpm --silent local:auth-hardening:v4 --json | Runs the private-beta auth hardening proof for MFA, reset, lockout, and abuse evidence. |
| runtime.runCompletionV11 | Runtime V11 completion | ready | local-proof-command | corepack pnpm --silent local:runtime:v11 --json | Runs b8grid-local-docker-private-beta-runtime-v11 for the local Docker private-beta runtime completion contract. |
| provider.runIndependenceV11 | Provider independence V11 | ready | local-proof-command | corepack pnpm --silent local:provider-independence:v11 --json | Runs b8grid-local-provider-independence-v11 for provider-independent local production posture, including network, trust, observability, and security contracts. |
| network.runIsolationProof | Network proof | ready | local-proof-command | corepack pnpm --silent local:cluster:v2 --json | Runs public/control/source/data/ops network isolation proof with Postgres private. |
| trust.runSecuritySpine | Trust spine | ready | local-proof-command | corepack pnpm --silent local:security-spine:v4 --json | Runs local CA, service cert, mTLS, KMS envelope, grant, and redaction proof. |
| ops.runObservability | Ops proof | ready | local-proof-command | corepack pnpm --silent local:ops-observability:v4 -- --mode offline --json | Runs logs, metrics, traces, audit search, health timeline, incident, and restore evidence. |
| ops.runObservabilityV5 | Ops observability V5 | ready | local-proof-command | corepack pnpm --silent local:ops-observability:v5 -- --mode offline --json | Runs b8grid-local-ops-observability-v5 for audit search, health timeline, alert rules, incident snapshots, and sanitized artifact scans. |
| ops.runRecoveryV5 | Ops recovery V5 | ready | local-proof-command | corepack pnpm --silent local:ops-recovery:v5 -- --mode offline --json | Runs b8grid-local-ops-recovery-v5 for restore history, recovery runbook, upgrade/rollback evidence, and sanitized artifact scans. |
| security.runWorkbench | Security workbench | ready | local-proof-command | corepack pnpm --silent local:security-workbench:v6 --json | Runs the local security workbench gate for dependencies, auth abuse, isolation, and secret leaks. |
| security.runWorkbenchV7 | Security workbench V7 | ready | local-proof-command | corepack pnpm --silent local:security-workbench:v7 --json | Runs b8grid-local-security-workbench-v7 with Auth V12 attack-path mapping and proof-output leak scanning. |
| sourceGraph.runPrivateBetaV10 | Source Graph V10 | ready | local-proof-command | corepack pnpm --silent local:source-graph-private-beta:v10 --json | Emits b8grid-local-source-graph-private-beta-v10 by proving auth-session exchange, real /source app rendering, metadata-safe query output, and customizable U... |
| sourceGraph.runPrivateBetaV12 | Source Graph V12 | ready | local-proof-command | corepack pnpm --silent local:source-graph-private-beta:v12 --json | Emits b8grid-local-source-graph-private-beta-v12 for project/repository/workspace/review/readiness UX, metadata-safe APIs, and future-customizable UI slots. |
| sourceGraph.runPrivateBetaV27 | Source Graph first-friend V27 | ready | local-proof-command | corepack pnpm --silent local:source-graph-private-beta:v27 --json | Emits b8grid-local-source-graph-private-beta-v27 for allowlist, signup/login, signed CLI installer, CLI session exchange, project bootstrap, commit/push, UI ... |
| sourceGraph.runAuthUxV28 | Source Graph auth UX V28 | ready | local-proof-command | corepack pnpm --silent local:source-graph-auth-ux:v28 --json | Emits b8grid-local-source-graph-auth-ux-v28 for password credential setup, password login, password reset consume, passkey registration/authentication, devic... |
| sourceGraph.runCliBrowserLoginV29 | Source Graph CLI browser login V29 | ready | local-proof-command | corepack pnpm --silent local:source-graph-cli-browser-login:v29 --json | Emits source-graph-cli-browser-login-v29 for challenge start, browser sign-in approval, shared signed Auth Control cookie, CLI polling, and one-time scoped C... |
| sourceGraph.runFriendInstall003 | Source Graph friend install v0.0.3 | ready | local-proof-command | corepack pnpm --silent local:source-graph-friend-install:v0.0.3 --json | Emits source-graph-friend-install-smoke-v0.0.3 by proving the public manifest, PowerShell installer, shell installer, and detached signature download without... |
| sourceGraph.runFriendInstallExecution003 | Source Graph install execution v0.0.3 | ready | local-proof-command | corepack pnpm --silent local:source-graph-friend-install-execution:v0.0.3 --json | Emits source-graph-friend-install-execution-v0.0.3 by executing the public PowerShell installer into an isolated temporary directory, verifying the installed... |
| platform.completionV9 | Platform V9 completion | ready | local-proof-command | corepack pnpm --silent local:platform:v9 --json | Emits b8grid-local-platform-completion-v9 by aggregating local runtime, dashboard, auth, provider-independence, and backup/restore evidence without claiming ... |
| platform.completionV10 | Platform V10 completion | ready | local-proof-command | corepack pnpm --silent local:platform:v10 --json | Emits b8grid-local-platform-completion-v10 by adding the real Source Graph private-beta app/auth/UI contract to the V9 local platform proof. |
| platform.completionV11 | Platform V11 completion | ready | local-proof-command | corepack pnpm --silent local:platform:v11 --json | Emits b8grid-local-platform-completion-v11 by aggregating V11 runtime, auth, provider-independence, Source Graph, and dashboard operator evidence while prese... |
| platform.runProductionPrivateBetaV12 | Production private beta V12 | ready | local-proof-command | corepack pnpm --silent local:production-private-beta:v12 --json | Emits b8grid-local-production-private-beta-v12 by aggregating runtime, Auth V12, Security V7, provider independence, Ops V5, Source Graph V12, and dashboard ... |
| platform.runProductionHostingV13 | Production hosting V13 | ready | local-proof-command | corepack pnpm --silent local:production-hosting:v13 --json | Emits b8grid-local-production-hosting-v13 for provider-independent hosting readiness, including remote host handoff, provider credential preflight, egress de... |
| createdAt | action | status | ready | actorId | projectId | command | summary |
|---|---|---|---|---|---|---|---|
No operator runs yet. | |||||||
| createdAt | action | actorId | projectId | summary |
|---|---|---|---|---|
No dashboard actions yet. | ||||
| createdAt | operation | actorId | projectId | secretName |
|---|---|---|---|---|
No audit events yet. | ||||