LogicOS

Operator Guide & Systems Map
LogicOS Flow
LogicOS → Flow → PuddleJumper / VAULT

Use Flow first

Open Flow for active work, blockers, deadlines, and thread detail. Use PuddleJumper when the action becomes governed. Use VAULT when you need proof and policy records.

Primary workspace Open LogicOS Flow Sign-in door Operator sign in Runtime check API Health Connector notes Google Drive route
01 Open Flow

Start with current work, blockers, deadlines, and selected-thread detail.

02 Handle the work

Pick a thread, clear dependencies, and watch compliance dates.

03 Route later

Use PuddleJumper for governed action and VAULT for policy or proof only when needed.

Quick Start

Use this order: Flow for work, PuddleJumper for governed action, VAULT for proof.

1 Sign In

Open Flow directly, or sign in first if you need an authenticated surface.

2 Start Screen

Open the workbench and select the thread that needs action now.

3 Operate

Use Flow until the work is ready to route or govern.

4 Connectors

Use connector pages when you need route details or integration behavior.

5 Govern Intake

Use the municipal track when you need intake, records, approvals, or publication flow.

6 Monitor

Use Flow for status and deadlines. Use audit surfaces only when you need evidence.

Local development

# From monorepo root
pnpm install
cd apps/puddlejumper

# Minimum env vars
export JWT_SECRET=dev-secret
export AUTH_ISSUER=puddle-jumper
export AUTH_AUDIENCE=puddle-jumper-api

# Start
npx tsx src/api/server.ts
# → http://localhost:3002/v1/health

Best place to work

Start in Flow. Move to PuddleJumper only when the work becomes governed or connector-specific.

Deploy to Fly.io

# From monorepo root (/n8drive)
flyctl deploy -a publiclogic-puddlejumper

Systems Map

Clients
LogicOS (Cloudflare Pages)
PJ Operations UI
Public Form Endpoint
Webhook / API Consumer
↕ HTTPS · Session Cookie · CSRF header
PuddleJumper (Express on Fly.io)
Auth & OAuth
Forms API
LOGICBRIDGE API
SEAL API
Archival API
Syncronate API
VAULT Routes
CaseSpace Routes
Connector Routes
Admin Routes
PRR Routes
AXIS (AI) Routes
↕ In-process module calls
Backend Modules (Boot Order)
1 · KMS Client
2 · Archival
3 · VAULT
4 · SEAL
5 · Template Library
6 · AXIS
7 · Forms
8 · LOGICBRIDGE
9 · SYNCHRON8
10 · CaseSpace Factory
11 · Syncronate
↕ SQLite WAL on Fly.io persistent volume
Data Stores
formkey.db (intake records, consent, form definitions)
archieve.db + WAL queue (event chain)
logicbridge.db (connector registry, handler code)
vault.db (documents, versions, governance envelopes)
seal.db (key registry, ESK versions)
syncronate.db (feeds, jobs, run history)
prr.db · oauth_state.db · rate-limit.db
↕ OAuth / API calls
External Providers
GitHub
Microsoft 365
Google Workspace
OpenAI / Anthropic (AXIS)
TSA (RFC 3161 notarization)

Monorepo structure

n8drive/
├── packages/core/           @publiclogic/core — JWT auth, middleware, CSRF
├── packages/vault/          @publiclogic/vault — Vault policy provider
├── apps/logic-commons/      @publiclogic/logic-commons — OAuth, session, audit
└── apps/puddlejumper/
    ├── public/              guide.html, admin.html, CSS, workspace
    └── src/
        ├── api/
        │   ├── server.ts    Boot sequence + all route wiring
        │   └── routes/      auth, vault, logicbridge, seal,
        │                    archieve, syncronate, casespace, connectors,
        │                    admin, prr, access, axis, governance
        ├── formkey/         Forms intake · consent · output
        ├── logicbridge/     Registry · Publisher · Sandbox runner
        ├── seal/            ECDSA-P256 sign / verify
        ├── archieve/        Event chain · Notarizations · Export
        ├── syncronate/      Feed definitions · Job scheduler
        ├── axis/            AI provider credential resolver
        └── casespace/       Factory · Environment provisioning

Forms — Intake & Output

Every governed form submission now runs through the Forms layer inside the Docs / Vault workspace. Two paths:

PathSteps
Intake Schema validate → Consent check → SEAL stamp → VAULT write → archival event
Output / Render SEAL verify → Field binding resolution → JSON output (HTML template library in future)

Forms API

MethodPathAuthDescription
GET/api/vault/formsbearerList FormDefinitions
POST/api/vault/formsbearerCreate draft
POST/api/vault/forms/:id/publishadminPublish (5-step pipeline)
POST/v1/forms/:id/submitpublicSubmit intake (rate limited)
POST/v1/forms/:id/consentpublicGrant consent
GET/api/vault/forms/:id/render/:recordIdbearerRender VAULT record as form output
GET/api/vault/forms/:id/submissionsbearerList intake records

API Reference

Authentication

MethodPathAuthDescription
GET/api/auth/github/loginpublicGitHub OAuth redirect
GET/api/auth/google/loginpublicGoogle OAuth redirect
GET/api/auth/microsoft/loginpublicMicrosoft OAuth redirect
GET/api/auth/statuspublicCurrent auth state
POST/api/refreshcookieRotate refresh token
GET/api/identitybearerCurrent user identity
POST/api/auth/logoutcookieRevoke session

SEAL

MethodPathAuthDescription
POST/api/seal/verifybearerVerify SealToken against artifact
GET/api/seal/public-keypublicTenant public key PEM
GET/api/seal/keysbearerList ESK versions
POST/api/seal/rotateadminRotate signing key

Archival

MethodPathAuthDescription
GET/api/archieve/eventsbearerPaginated event stream
GET/api/archieve/events/:idbearerSingle event
POST/api/archieve/verifybearerChain integrity verification
GET/api/archieve/exportbearerDownload events (CSV/JSON)

LOGICBRIDGE

MethodPathAuthDescription
GET/api/logicbridge/connectorsbearerList connectors
POST/api/logicbridge/connectorsbearerCreate connector
POST/api/logicbridge/connectors/:id/publishbearerPublish (SEAL sign)
POST/api/logicbridge/explorer/requestbearerAPI Explorer live request

Health & Operations

MethodPathAuthDescription
GET/v1/healthpublicFull module health (all PJ modules)
GET/healthpublicBasic health check
GET/readypublicReadiness probe
GET/api/admin/statsadminAdmin dashboard stats
GET/api/admin/audit/exportadminAuth audit export

Key Environment Variables

JWT_SECRET
JWT signing key (≥32 chars, required)
AUTH_ISSUER / AUTH_AUDIENCE
JWT iss / aud claims
GITHUB_CLIENT_ID / _SECRET
GitHub OAuth app credentials
GOOGLE_CLIENT_ID / _SECRET
Google OAuth credentials
MICROSOFT_CLIENT_ID / _SECRET
Microsoft OAuth credentials
LOGICBRIDGE_HANDLER_DEK
AES key for connector handler encryption at rest
FORMKEY_SUBMISSION_RATE_LIMIT
Max intake submissions per IP/minute/form (default: 10)
FORMKEY_CONSENT_CACHE_TTL_MS
Consent verification cache TTL ms (default: 60000)
OPENAI_API_KEY
OpenAI provider for AXIS AI chat
ANTHROPIC_API_KEY
Anthropic provider for AXIS AI chat
FRONTEND_URL
LogicOS URL for CORS (required in production)
PORT
Server port (default: 3002)
NODE_ENV
production | development | test

LogicOS · PuddleJumper Control Plane · PublicLogic LLC · os.publiclogic.org on Cloudflare Pages · Backend on Fly.io (publiclogic-puddlejumper)