Control Center
Read-only view of the engine's models, integrations, cadence, locked doctrine, security posture, and pricing structure. Nothing here is editable — configuration lives in code and environment, enforced by tests.
Models
read-onlyThe grounded answer engines we measure — a None value keeps the connector's own consumer-fidelity default (we measure what a homeowner sees, not a pinned tier).
| Engine | Model | Source | Env var |
|---|---|---|---|
| openai | — | default | OPENAI_MODEL |
| gemini | — | default | GEMINI_MODEL |
| claude | — | default | CLAUDE_MODEL |
Anthropic by role — extraction runs the cheap firehose tier; the reasoner stays the opus flagship because it is judgment, not firehose.
| Role | Model | Source | Env var |
|---|---|---|---|
| extract | claude-sonnet-4-6 | default | ANTHROPIC_EXTRACT_MODEL |
| content | claude-opus-4-8 | default | ANTHROPIC_CONTENT_MODEL |
| reason | claude-opus-4-8 | default | ANTHROPIC_REASON_MODEL |
Integrations
read-only| Provider | Status | Secret | Posture |
|---|---|---|---|
| openai | KEYLESS | ✗ absent | grounded answer engine — live when OPENAI_API_KEY is set |
| anthropic | KEYLESS | ✗ absent | claude engine + reasoner/extraction — live when ANTHROPIC_API_KEY is set |
| google_gemini | KEYLESS | ✗ absent | gemini engine — live when GOOGLE_API_KEY is set |
| dialpad | KEYLESS | ✗ absent | cold-call recordings/transcripts — live when DIALPAD_API_KEY is set |
| fireflies | KEYLESS | ✗ absent | meeting transcripts — live when FIREFLIES_API_KEY is set |
| smartlead | KEYLESS | ✗ absent | STAGES outbound copy variants — never auto-sends (Smartlead-never-sends) |
| gsc | KEYLESS | ✗ absent | Search Console analytics — live when GSC_SERVICE_ACCOUNT_JSON is set |
| dataforseo | KEYLESS | ✗ absent | SERP / Bing-index probe — live when both DataForSEO creds are set |
| docusign | KEYLESS | ✗ absent | MSA/SOW e-signature — live when all six DOCUSIGN_* creds are set |
| stripe | KEYLESS | ✗ absent | engagement billing — live when STRIPE_API_KEY is set |
| gbp_official | KEYLESS | ✗ absent | awaiting API grant — OAuth consent works with the client pair; live data calls wait for the 300-QPM grant |
| clay | KEYLESS | ✗ absent | review intake via webhook — fail-closed once CLAY_WEBHOOK_SECRET is set |
Cadence / Jobs
read-only wave — no 'run now' trigger yet; the external scheduler (.github/workflows/loop-schedulers.yml) fires these.| Job | Cron | Description |
|---|---|---|
| governance | 17 8 * * 1 | Weekly Loop 3/4/5 governance fan-out by cadence (obsolescence + operational + boundary audit). |
| watchdog | 23 7 * * * | Daily capture-integrity sweep + hard-finding alert. |
| own_aeo | 17 8 * * 1 | Weekly our-own AI-visibility pass. |
| monitoring | 17 8 * * 1 | Weekly per-metro Tier-2 visibility cycle (Loop 2 gates each); roster-driven, safe no-op with an empty roster. |
| seo_capture | 17 8 * * 1 | Weekly SEO selective-capture per client (seo_panel-driven; empty panel is a safe no-op). |
| experiment_autoadjust | — | registered scheduler job |
Doctrine
locked — never editable hereRead-only — locked by doctrine, never editable here. These values are enforced by tests; changing one is a code change, not a cockpit action.
| Rule | Value | Lock reason | Enforcing test |
|---|---|---|---|
| review_floor | 4.3 | Fail-closed recommendable gate (§1 hard line): a roofer is recommendable only at 4.3+ stars WITH active responses; below the floor it reads excluded regardless of other optimization. | calc/tests + test_config.py (floor pinned in agreement with the gate) |
| response_rate_floor | 0 | Active review responses are part of the gate — a high average with near-zero responses still reads excluded; response_rate must be strictly above this. | calc/tests (review_floor_status fail-closed cases) |
| divergence_tol | 0.2 | Loop 2 (§5): API-vs-browser disagreement beyond ~20% of spot-checked prompts is a fidelity flag; the flagged report is blocked (bad data never ships). | calc/tests (divergence_exceeds) + loop2 fail-closed tests |
| watch_band | 0.15 | Within-floor early-warning band: above the floor but inside this is 'watch', not clear — the drift-toward-floor monitor fires here. | calc/tests (drifting_toward_floor / review_floor_status WATCH) |
| rule_version:panel | v1 | Measurement panel version — version-stamped onto every event so history stays interpretable as the panel evolves (§6.6). | test_config.py (current_rule_versions snapshot) |
| rule_version:runs_per_prompt | 5 | Frequency sample size per prompt — frequency-of-inclusion is reported WITH this sample size (never a rank). | test_config.py (current_rule_versions snapshot) |
| rule_version:cadence | weekly | Measurement cadence — the weekly per-metro cycle. | test_config.py (current_rule_versions snapshot) |
| rule_version:review_floor | 4.3 | Stamped copy of the enforced review floor (single source: calc.thresholds). | test_config.py (current_rule_versions snapshot) |
| rule_version:divergence_tol | 0.2 | Stamped copy of the enforced Loop-2 divergence tolerance. | test_config.py (current_rule_versions snapshot) |
| rule_version:loop1_conf | high | Loop 1 autonomous default-adjust fires ONLY behind this confidence bar AND release_test→SYSTEM. | test_config.py (current_rule_versions snapshot) |
| rule_version:loop5_cadence | monthly | Loop 5 boundary re-audit cadence (re-audits SYSTEM-owned dispositions). | test_config.py (current_rule_versions snapshot) |
| rule_version:seo_panel | v1 | SEO selective-capture guardrail version — stamped onto every SEO capture. | test_config.py (current_rule_versions snapshot) |
| frequency-never-rank | enforced | Report frequency-of-inclusion WITH sample size — never a rank. No rank() function exists anywhere in the system (§1 hard line #1). | calc/tests (test asserting the ABSENCE of rank) |
| honesty-guardrail | always-appended | Appended to every reasoner prompt and cannot be opted out of: ground every claim in context, association is not cause, choose the most conservative / empty value when unsupported. | aeo_core reasoner tests (guardrail always present) |
| proposes-not-disposes / no-LLM-judge | enforced | The model is the LEAST-privileged actor: it returns a typed Proposal (or abstains); a pure, tested gate DISPOSES. The model never flips a switch and there is no LLM-as-judge anywhere (§2). | aeo_core intelligence/reasoner + release_test gate tests |
| release-test | enforced | An action is human-owned iff irreversible / client-facing / strategic; else system-owned (act + log + revertible). Reversibility is cost-aware (§3). | aeo_core/loops/release_test.py tests |
| loop2-fail-closed | enforced | Loop 2 is the fail-closed data-quality gate — bad data never ships; on ambiguity it resolves to the SAFE verdict, never the optimistic one (§4). | aeo_core/loops/loop2_health tests |
| seam-1-purity | enforced | calc is pure (numbers in, verdicts/numbers out) — no store, no UI, no I/O, no cross-calc import. The gates' arithmetic stays testable without a host. | test_seams + calc purity tests |
| seam-2-one-directional | enforced | aeo_core WRITES the append-only store; the reader (cockpit / engine-admin) READS it. aeo_core never imports the web/admin layer and carries no UI credentials (§8). | test_seams |
| smartlead-never-sends | enforced | Smartlead STAGES copy variants into a campaign; it never auto-sends. The send is a human-owned, client-facing action (Release Test → HUMAN). | aeo_core/connectors/smartlead tests (stage-only, no send) |
| decisions-append-only | enforced | docs/DECISIONS.md is APPEND-ONLY — record decisions AND outcomes; never edit a prior entry, append a superseding one. CI enforces it. | scripts/check_decisions_append_only.py (CI) |
Security posture
read-only⚠ Security attention required
- AEO_REQUIRE_SIGNED_WEBHOOKS is OFF — webhook ingress is not fail-closed.
- Missing webhook secret(s): clay, smartlead, dialpad, fireflies.
Require signed webhooks:OFF
Webhook secrets (present/absent only)
clay✗ absentsmartlead✗ absentdialpad✗ absentfireflies✗ absentweb_ingest✓ wired
Admin secret:✓ wiredJobs trigger secret:✓ wiredPer-cycle cost ceiling:5000 model calls
Booleans + the int ceiling only — no secret value is ever returned. The cockpit's own COCKPIT_REQUIRE_ACCESS lives in the COCKPIT env, not the engine — it is not read here.
Pricing structure (read-only)
fixed table — code changeRead-only — these are fixed business tables. Changing them is a code change, not a cockpit action.
Taper breakpoints
- Per-metro mid from
- 4
- Per-metro floor from
- 6
fixed business table — code change — metros 2–3 pay the headline add, 4–5 the mid rate, 6+ the floor.
Competitiveness
| Band | Multiplier |
|---|---|
| standard | 1 |
| competitive | 1.25 |
| high | 1.5 |
fixed business table — code change — multiplier applied to the whole recurring price.
High-equity threshold
0.5
fixed business table — code change — above this organic-equity score a takeover is high-equity (scaled migration fee); at/below it the flat low fee applies.
Tiers
aeofull_search
fixed business table — code change — 'aeo' uses engagement_base; 'full_search' bundles hosting + free call-tracking.