Everything in the box.

Lifecycle-aware tasks per role. Deterministic queue + alerts.

Every operational entity flows through a configurable lifecycle. Tasks are scoped to role and bound to the entity — no inbox-stuffing, no generic queue. Deterministic state transitions, alerts on stall.

Configurable probes watch your data, surface what matters.

Define probes in JSON (thresholds, comparisons, multi-row joins). Each probe fires a typed event consumed by autopilot, observatory, or your own webhooks.

Agents propose, humans approve. Reversible by design.

Tier-gated proposal engine. AUTO → APPROVAL → MANAGER → ADMIN. Blast-radius scored. Financial-impact capped. Every action is undoable.

Real-time hex grid + drawer. Click any employee.

WebSocket-driven employee state grid. Drawer with 8 grounded tabs per person: Overview, Workload, Timeline, 1:1 Prep, Knowledge, Daily, Behavioral, Peers.

Deep reports per employee, per department, per lifecycle.

PDF + CSV exports. Every line cites its source row. Replayable for 24+ months. Sharable with auditors via single-use signed link.

Performance × potential matrix per cohort.

Auto-classification with rebuttable defaults. Cohort = same role family, same tenure band. Filterable by department + manager.

Anomaly → root cause → resolution. Evidence chain + attribution.

Six classifications: Process Gap, Human Error, System Failure, Data Inconsistency, Policy Violation, External Cause. Every case is its own audit row.

Per-call cost, grounding, drift, governance.

Token spend per turn, sources cited, role at time of call, grounding hit rate, drift detection vs baselines. Exportable to your obs stack.

Forecasts with intervals, not promises.

Stock-out, churn, demand, attrition. Every forecast ships with a confidence interval and a links-to-rows trace explaining the model's bet.

Find the cause, not just the correlation.

Counterfactual reasoning over your operational graph. Names the lever; flags the noise. Operator-readable explanations, not graphs.

Stage a change. See the projected impact before you ship.

Branch your operational state, apply hypothetical mutations, run forecasts over the branch. Diff against baseline. No real writes until you say.

Whisper for input. Kokoro for output. Server-side flow control.

Streaming STT and realtime TTS, real-time first audio. Default engines: Whisper small.en for input (English-optimized; multilingual on upgrade), Kokoro at 24kHz for output. Swap any compatible provider. The LLM never decides flow transitions — the server does.

Register your endpoints once. The framework calls them.

REST endpoints registered with JWT auth, ABAC scope, idempotency keys, and risk class. Apogee gates writes by class automatically.

Isolated tenants from day one.

Per-tenant schemas, isolated key material, residency-aware routing (EU · KSA · US), zero shared state at the data layer.

Nothing is gone until you really mean it.

Tombstoned by default. Time-windowed restore. Audit-row preserved. Permanent purge requires policy approval + retention window expiry.

Point-in-time captures of operational state.

Per-table or per-tenant. Snapshots are immutable, addressable by hash, replayable into a branch for what-if work.

Hot → cold → archive → purge. Per table.

Configurable retention windows. Legal-hold flag overrides purge. Cold-archive destinations: S3-compatible, BigQuery, or your own.

One endpoint. Full erasure across tables.

DSAR-ready. Erasure cascades through every table tagged with the subject ID. Audit row noting who, when, what. Cold-archive purged within SLA.

Manager + autopilot in one feed. Search by anything.

Every mutation lands in one log: who, what, on which entity, why, with what reasoning. Search by actor, target, kind, timestamp.

Role attributes gate every endpoint.

Attribute-based access on read, write, and export. Attributes evaluated at call-time, not at session-start. Bypass requires explicit policy.

Every endpoint gets a class. Class gates the tier.

READ / WRITE-LOW / WRITE-MED / WRITE-HIGH / IRREVERSIBLE. Maps onto the autopilot tier system automatically.

Sub-second updates to the observatory.

Per-tenant WebSocket gateway. Backpressure-aware. Falls back to long-poll gracefully on bad networks.

Cached prefixes, lower cost per turn on cache hits.

Caching of system + retrieval prefixes. Default LLM is Gemini — implicit prompt caching always on, explicit context caching available as an opt-in flag for large system prompts. Cache-backed prefixes cut cost per call at production volume; measured savings show up in your tenant's AI-Ops report. Also runs on NVIDIA / GPUHub / OpenAI-compatible runtimes.

Multiple writers, no lost writes.

Per-entity version vectors. Conflicting writes surfaced to the human, not silently overwritten. Resolution suggestions provided by APO.