Loading device status...
| RX ↓ / TX → | |
|---|---|
Single source of truth for everyone with dashboard access. Email controls assignee mapping for the email-to-task feature (configure under System → Email-to-Task). Role controls dashboard access; LANCE tier controls the access level baked into the user's downloadable LANCE skill. Click ▸ on a row to expand ntfy notification settings.
ⓘ Changing a user's LANCE tier? Tell them to re-download their LANCE skill (Profile menu → Download LANCE skill). Each user's skill carries a per-user API key minted at download time with their tier baked in — updating their tier here only takes effect on their next skill download. Their old skill keeps working with the old tier until then.
| User | Dashboard | Tasks | Lance | Rock | MFA | ntfy topic | Actions | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| (not set) |
notification preferences
Per-event settings (ntfy / web / email) are now self-managed by each
user under ⚙ Settings → 🔔 Notification Center on the Tasks page.
This panel keeps only ntfy topic provisioning.
ntfy topic management
Subscribe to the topic in the ntfy app on
ntfy.sh.
Cron failures still go to the global topic configured under Alerts.
|
||||||||||||||||
Per-user overrides take precedence over the global Permission Matrix. Select (default) for any category to let the matrix decide for this user. Changes flush the auth cache immediately and take effect on the user's next request. Overrides carry forward when the user re-downloads their skill.
| Category | Matrix Default | Override |
|---|---|---|
Each cell shows the effective effect for that tier × category. Click to change.
Modified cells are highlighted — click ↶ to revert to shipped default.
Per-user overrides (set in the Users tab) take precedence over this matrix.
Effects: — deny, R-self read self only, R-grp group-scoped,
R-min ministry-scoped, R-summary aggregates only,
R unrestricted read, R/W-min ministry-scoped write, R/W full.
| Category | T0 Guest | T1 Self | T2 Volunteer | T3 Min-staff | T4 Staff | T5 Ops | T6 Admin |
|---|---|---|---|---|---|---|---|
|
|
| When | Who | Cell | Was | Now | Reason |
|---|---|---|---|---|---|
| No matrix changes recorded yet — current configuration matches shipped defaults. | |||||
You don't have vault access. Ask an admin to enable the Vault checkbox on your user (Users tab).
- Everyday passphrase — for daily use. Write it on airgapped sticky notes held by a few trusted staff (multiple copies = redundancy). Min 12 chars; use a real passphrase, not a PIN.
- Recovery passphrase — stronger; seal it in a safe. It opens the vault if every everyday copy is lost. Min 16 chars.
Sealed under the vault's public key — no passphrase needed to add. The title/keywords are searchable plaintext, so don't put the secret itself in them.
| Title | Category | Keywords | Added | Actions |
|---|---|---|---|---|
| Slot | Label | Created | Actions |
|---|---|---|---|
Enter the shared vault passphrase to reveal this secret. The secret is fetched once and never cached.
| Time | Role | Endpoint | Params | Result |
|---|---|---|---|---|
| # | Person | Position | Status |
|---|---|---|---|
| Channel | Level (dB) | Send On | Source notes |
|---|---|---|---|
Read the current send levels for IEMs 1-12 off the dLive (TCP MIDI, read-only) and save each as the position default. Used as the starting mix for any volunteer who doesn\'t have a learned profile yet. Set the levels you want on the console, then click below.
| IEM | Label | Last Captured | Channels |
|---|---|---|---|
| Person | Context | Samples | Tier | Last sample |
|---|---|---|---|---|
| EMA BLEND default |
WLS0N.
| Ch | Name | Source |
|---|---|---|
Click "+ New" to add one.
Generate a public link a volunteer can use to view + complete this task. No login required. Useful for one-off help.
Start the conversation below.
Generate a public link a volunteer can use to view + complete this task. No login required. Useful for one-off help.
Generate a public link a volunteer can use to view + complete this task. No login required. Useful for one-off help.
Generate a public link a volunteer can use to view + complete this task. No login required. Useful for one-off help.
Time-boxed safety catches for powerful operations. Arm a normally-closed capability to use it briefly; Disable a normally-open connection for maintenance. Every change needs your personal PIN and auto-reverts when its timer runs out. This is an extra layer on top of normal permissions — it never grants new access.
| Capability | State | Default | Active window | Actions |
|---|---|---|---|---|
| ∗ |
by
⏳ left
|
🔒 |
| When | Event | Gate | By | Detail |
|---|---|---|---|---|
Live state of the SQLite-backed tasks store at /opt/lefcav-api/tasks.db.
Refreshed via the Refresh button above. See 04-diagnostics/tasks-sqlite-migration-plan.md for design.
/opt/lefcav-api/state/tasks-backups/Every chat request through the Tasks-page assistant — who asked, what LANCE did, and its reply.
| When | User | Request | Actions (tools) | Reply |
|---|---|---|---|---|
Polls an IMAP mailbox every 5 minutes; converts unread mail into tasks. Subject → title; body → description; sender email → matched against user emails (Users tab) for assignee mapping. Status: .
Used to send MFA codes, password-reset emails, and notifications.
Status:
.
For Gmail, host is smtp.gmail.com and port 587;
password is a 16-char app password (not your account password).
| Role | Key (masked) | Length | Actions |
|---|---|---|---|
The PAT (above) handles all JSON metadata. But downloading attachment files (stage plots, MP3s, PDFs) requires an OAuth2 access token.
Register a new OAuth app at
api.planningcenteronline.com/oauth/applications,
set the redirect URI to https://lefc-api.taild0b628.ts.net/api/pco/oauth/callback,
paste the Client ID + Secret below, then click Connect.
Stuck on the redirect? Paste callback URL here
If your browser ended up on a "site can't be reached" page after approving in PCO (typically because you're not on the tailnet), copy that page's URL from your address bar and paste it below. The server completes the handshake locally.
Lets LANCE see what's playing in the Crossover room — track, current device, in-app volume.
Register a Spotify Developer App at
developer.spotify.com/dashboard,
set the redirect URI to ,
paste the Client ID + Secret below, then click Connect.
Required scope: user-read-playback-state.
Stuck on the redirect? Paste callback URL here
If your browser ended up on a "site can't be reached" page after approving in Spotify (typically because you're not on the tailnet), copy that page's URL from your address bar and paste it below. The server completes the handshake locally.
Download a JSON backup of dashboard configuration (passwords metadata, service windows, alert rules). Does not include API keys or plaintext passwords.