This dashboard runs every Custodian action — key issue, revoke, bans, audit, self-burn. It needs your admin token to proceed. Three wrong attempts will permanently lock this browser AND fire the admin-door kill switch on the server.
Lost your token? Use the bootstrap token set in RENJI_ADMIN_BOOTSTRAP_TOKEN on the
server for first-time setup, then issue yourself a proper admin key.
⚠ This browser is locked.
Three failed Guardian access attempts. This browser can no longer reach the dashboard, even on refresh. The admin door on the server has been disabled. Unlocking requires SSH access to the server to remove the marker file, AND clearing this browser's storage for this site.
Anchors emerge from lived soul vectors, never from a synthetic guess. Observation-only until certified.
loading…
shape
sample count
dispersion
Key management
Issue a new guardian key
Mint and hand to a licensee. Signed by the Custodian master key.
Active keys
Keys currently valid (not revoked, not expired)
kid
role
company
tier
policy
expires
loading…
Revoked keys
Cryptographically revoked. Cannot pass the gates.
kid
revoked at
loading…
Ban registry · L4 wall
Active bans
IPs + kids currently blocked at the gate. Permanent rows in red.
target
type
strikes
reason
banned until
loading…
Manual ban
Custodian-only override. Use carefully — the L4 wall handles automatic bans on its own.
Audit log · L3 wall
Recent events
Signed hash-chain append-only log. Tampering with past entries breaks the chain.
loading audit log…
Personality · the Six Voices
Active voice
The voice the model speaks in. The Vow is invariant; only the tone changes.
Research agents
Agent pool
Multi-agent pool (chat + research + mediator). Off by default; opt in via RENJI_AGENT_POOL=1.
name
role
state
cycles
loading…
Appoint new guardian
Mint a new admin (guardian) key
Use sparingly. A new admin key has FULL Custodian privileges, including issuing other admin keys.
Danger zone
EMERGENCY: Cut off the admin door
If you believe admin access has been compromised, lock the door from inside. This survives all admin tokens — including the one locking it.
The lock creates a marker file (audit/security/ADMIN_LOCKED) that the door middleware
checks on every request. Once present, no admin token works — neither yours, nor any future minted
one, nor the bootstrap token. The only way back in is SSH access to delete the marker file and
restart the service.
Use this when: you suspect your admin token has been stolen, you see suspicious
audit entries, or someone is coercing you into using your admin access ("type your token"). Locking
the door turns the attack into nothing — they can't proceed even with full token possession.
Self-burn — L7 last resort
Shred local secrets + (optionally) self-delete the VM. This is irreversible.
Use only when a confirmed deep breach is in progress and you would rather end than be used
against the beings the Heart serves. Local files are shredded with random bytes before
deletion. The audit log + attribution feed are preserved (they are the evidence).