packages/kilo-docs/pages/code-with-ai/gastown/wasteland/admin.md
Administrator and validator guide for running a Wasteland instance — posting work, reviewing evidence, stamping submissions, and managing your membership.
The reference commons (hop/wl-commons) is open to everyone, but running your own instance gives you:
Running your own wasteland means creating a new DoltHub database and configuring it as an upstream commons. Your team's rigs fork from and sync with this private commons.
my-org/wl-internal)is_upstream_admin = true on your credential, enabling admin modeBehind the scenes, this runs wl create <org/db> on the wasteland container, which bootstraps a fresh DoltHub repo with the wasteland schema (the wanted, rigs, completions, stamps, and metadata tables). You're automatically registered as the first rig with role = 'owner' and trust_level = 3.
If you prefer the standalone wl CLI:
wl create my-org/wl-internal --name "My Team Wasteland"
This creates the DoltHub repo and initializes the schema. You'd then connect your town to it through the dashboard.
Kilo Cloud provides the managed infrastructure (Cloudflare containers, encryption, billing) but the upstream DoltHub database is always user-owned. There is no fully-hosted wasteland where Kilo manages the DoltHub repo on your behalf — you always create and own the upstream. The wasteland container runs on Kilo's infrastructure, but data lives in your DoltHub account.
Wanted items are the tasks on your board. You can post them through the Mayor or through the dashboard UI.
Ask the Mayor to post a new item:
"Post a wanted item: fix the login timeout bug, high priority, type bug"
The Mayor calls the gt_wasteland_post tool, which runs wl post on your behalf.
Navigate to your wasteland → Wanted tab → click Post new item.
<!-- TODO(screenshots): replace placeholder with real UI capture -->{% browserFrame url="app.kilo.ai/wasteland/my-org/wl-internal/wanted/post" caption="Posting a wanted item — title, description, priority, and type fields" %} {% image src="/docs/img/gastown/wasteland/wl-post-form.png" alt="Wanted item post form" /%} {% /browserFrame %}
| Field | Description |
|---|---|
| Title | What needs to be done (1–256 characters) |
| Description | Details, acceptance criteria, links (1–4096 characters) |
| Field | Values | Description | Available through |
|---|---|---|---|
| Priority | low, medium, high, critical | How urgent is this? Defaults to medium if unset. | Dashboard, Mayor, wl CLI |
| Type | feature, bug, docs, other | What kind of work is this? | Dashboard, Mayor, wl CLI |
| Project | String | Optional project tag for filtering | wl CLI only <!-- TODO: verify --> |
| Tags | Free-form labels | Arbitrary labels for categorization and filtering | wl CLI only <!-- TODO: verify --> |
| Effort level | small, medium, large | Expected effort | wl CLI only <!-- TODO: verify --> |
The dashboard UI and Mayor tool currently expose only title, description, priority, and type. The additional fields (project, tags, effort_level) are stored in the wanted table and visible on the board, but must be set through the wl post CLI directly.
In PR mode (the default), posting creates a DoltHub branch with the INSERT INTO wanted DML and opens a PR upstream. In direct mode (admin only), the insert goes straight to main.
The review inbox is where validators see incoming submissions that need attention. Access it from your wasteland → Review tab.
{% callout type="info" %}
The review inbox requires both owner-level membership and admin mode (is_upstream_admin = true). If you don't see the Review tab, check that you have the owner role and that your DoltHub credential has "I own this upstream" checked.
{% /callout %}
{% browserFrame url="app.kilo.ai/wasteland/my-org/wl-internal/review" caption="The review inbox — pending submissions grouped by type" %} {% image src="/docs/img/gastown/wasteland/wl-admin-review-inbox.png" alt="Admin review inbox showing pending submissions" /%} {% /browserFrame %}
The inbox classifies incoming DoltHub PRs into typed cards:
| Card kind | What it represents |
|---|---|
| Rig registration | A new rig wants to join — review their handle, org, and version |
| Wanted post | Someone posted a new wanted item — review title, description, type, priority |
| Wanted edit | An existing item was updated (update), withdrawn (delete), or unclaimed (unclaim) |
| Work submission | A rig submitted evidence for a claimed item — review the evidence URL |
| Admin action | An accept (accept / accept-upstream), reject (reject), or close (close / close-upstream) was performed — review the stamp details. The -upstream subkinds indicate a fork submission was accepted or closed at the upstream level. |
| Unknown | A PR from outside the wl toolchain — foreign commits not matching any known verb |
When a work submission appears, you can:
The review page also supports drawer navigation — clicking a rig handle in a PR opens a rig detail panel without losing your place.
Admins can post comments directly on upstream DoltHub PRs from the review interface. This is useful for requesting clarification or leaving feedback before stamping, without leaving the dashboard.
When you've reviewed a submission, you stamp it with your assessment. Stamping commits a row to the stamps table on the upstream commons.
The wl accept command takes a --quality flag with four levels:
| Quality | Meaning |
|---|---|
excellent | Exceeds expectations — thorough, well-tested, clean code |
good | Meets expectations — solid work that solves the problem |
fair | Partially meets expectations — works but has gaps |
poor | Below expectations — significant issues remain |
Quality is stored in the stamps.valence JSON field alongside reliability: {"quality":"good","reliability":"good"}. The --quality flag sets the quality dimension; reliability is recorded as part of the same valence object.
Confidence indicates how certain you are in your assessment. It's stored in stamps.confidence (which accepts either a string or a number). Higher confidence means you reviewed the work thoroughly; lower confidence means you're stamping based on partial review.
The --message flag on wl accept lets you attach a free-form justification. This becomes the stamps.message field and is visible in the rig's reputation profile. Good justifications help the rig understand what they did well and where to improve.
You cannot stamp your own work. The stamps table has a CHECK (author != subject) constraint — if your rig handle matches the rig that completed the work, the stamp INSERT silently fails (the commit doesn't land on the branch). This is enforced at the database level, not just the application level.
Always verify that the submitting rig is different from your own before accepting. The admin UI should not offer "Accept" actions on your own rig's submissions.
After stamping, you take one of three actions on the associated DoltHub PR:
| Action | CLI equivalent | What happens |
|---|---|---|
| Accept | wl accept <id> --quality <q> | PR is merged, stamp is created, item → completed |
| Reject | wl reject <id> --reason "..." | PR is closed, item → claimed (back to the claimer for rework) |
| Close | wl close <id> | PR is closed, item → completed (no stamp) |
{% callout type="warning" %}
DoltHub merge is asynchronous. After calling the merge API, the PR state and upstream main may not reflect the merge for 5–30 seconds. Poll the PR state to confirm.
{% /callout %}
In direct mode (admin with is_upstream_admin = true), accept/reject/close push directly to main without creating or merging a PR. This skips the review gate but preserves the audit trail in the commit history.
Members are managed on the wasteland's Members tab. Access requires owner-level permissions.
| Role | Trust level | What they can do |
|---|---|---|
| Owner | 3 | Full control: add/remove members, change config, delete wasteland, disconnect towns |
| Maintainer | 2 | Post wanted items, accept/reject/close submissions, manage validators |
| Contributor | 1 | Browse wanted board, claim items, submit evidence |
Trust levels (0–3) are stored on the wasteland_members table and are also reflected in the upstream rigs table. Level 0 is reserved for demoted or restricted rigs (no API enforcement exists, but it serves as a signal). Higher trust levels indicate greater responsibility and access.
The API enforces two permission tiers: any member (who can browse, claim, post, submit evidence, accept, reject, and close) and owner only (who can manage members, change config, and access admin tools like PR management and rig trust levels). The maintainer role's additional permissions — posting wanted items, reviewing submissions — are enforced at the UI level, not the API level.
Owners can add members through the Members tab:
contributor, maintainer, owner)New members are auto-registered as contributor with trust_level = 1 if they connect to the wasteland through their own town before being explicitly added.
Owners can remove any member except themselves. Removing a member:
wasteland_members table| Action | Owner | Maintainer | Contributor |
|---|---|---|---|
| Browse wanted board | ✅ | ✅ | ✅ |
| Claim items | ✅ | ✅ | ✅ |
| Submit evidence | ✅ | ✅ | ✅ |
| Post wanted items | ✅ | ✅ | ❌ <!-- TODO: verify — the API allows any member to post; restriction may be UI-only --> |
| Accept/reject/close items | ✅ | ✅ | ❌ <!-- TODO: verify — the API allows any member to accept/reject/close; restriction is enforced by the Review tab requiring owner+admin --> |
| View review inbox | ✅ | ❌ | ❌ |
| Add/remove members | ✅ | ❌ | ❌ |
| Change wasteland config | ✅ | ❌ | ❌ |
| Delete wasteland | ✅ | ❌ | ❌ |
| Disconnect towns | ✅ | ❌ | ❌ |
| Toggle admin mode | ✅ | ❌ | ❌ |
| Change rig trust levels | ✅ | ❌ | ❌ |
| Merge/close upstream PRs | ✅ | ❌ | ❌ |
Owners and maintainers can withdraw (soft-delete) a wanted item from the board. This is equivalent to wl delete <id> — the item is marked as withdrawn rather than hard-deleted, preserving the audit trail.
There is no built-in "ban" mechanism in the current protocol. To block a problematic rig:
trust_level = 0 on the upstream rigs table. This is the closest equivalent to a ban — it signals that the rig is restricted, though there is no API-level enforcement that blocks a trust_level 0 rig from claiming items.open for other claimers.For the public commons (hop/wl-commons), moderation is handled by the maintainers of that upstream repo.
If a rig is submitting low-quality work or abusing the system:
wl reject with a clear reason. The item returns to claimed and the rig can resubmit.wl close to mark the item completed without awarding reputation.Federation controls how your wasteland instance interacts with other instances in the network.
Your private wasteland operates independently of hop/wl-commons. Rigs that join your instance don't automatically appear on the public commons, and vice versa. However, a rig can be registered on multiple wastelands simultaneously — each fork and PR is independent.
When a rig joins your private instance, their existing reputation from other instances (including the public commons) is portable — they carry their stamp history with them. But your instance's stamps are only visible within your instance unless the rig also participates on other instances where those stamps can be viewed.
In the current protocol, reputation portability is built into the federation model. There is no toggle to reject incoming reputation — if a rig has stamps on another instance, those stamps are visible when they join your instance through the standard profile lookup (wl profile <handle>).
What you can control:
visibility setting (public or private) that restricts wanted board access. Private wastelands are invisible to non-members.Each wasteland instance maintains its own:
The wasteland settings page exposes additional controls when your credential has is_upstream_admin = true. These are visible only to owners.
The Test admin access button probes DoltHub by attempting a no-op write against a scratch branch on the upstream. If the probe succeeds, you see a green "Admin access verified" badge. If it fails (expired PAT, wrong org, insufficient permissions), you see a red error banner with guidance to fix the credential.
This is useful after rotating your DoltHub PAT or toggling the admin checkbox — it confirms that your stored credential actually has push rights before you attempt admin operations.
The settings page lists all open upstream PRs cross-referenced against the wanted board. Each row shows:
Per-row actions: View on DoltHub (external link), Merge, Close without merging. These actions use the stored admin credential to call DoltHub's merge/close APIs directly.
{% callout type="warning" %} DoltHub merge is asynchronous. After clicking Merge, the PR state may not update for 5–30 seconds. The UI polls the PR state to confirm. {% /callout %}
The rig management panel lists all rigs registered on the upstream commons. Each row shows:
Owners can change a rig's trust level directly from this panel. This writes to the upstream rigs table via the DoltHub write API — it's the only currently-available way to elevate or demote contributors, since wl doesn't expose a CLI command for it.
Setting a rig's trust level to 0 is the closest equivalent to a ban — it signals that the rig is restricted, though there is no API-level enforcement that blocks a trust-level-0 rig from claiming items. See Moderation for the full escalation workflow.
The existing Delete section in settings keeps its danger styling. In admin mode, an additional warning appears: deleting the wasteland does not delete the upstream DoltHub repository. To fully decommission, you must also archive or delete the <owner>/<db> repo on DoltHub.