// the deck, screen by screen — terminal UI
A guided tour of every capability — captured live from a running deck over SSH. One platform, three faces (web UI, terminal UI, and an on-device AI operator), one gated API. Prefer the browser? Switch to the GUI view →
00 // command dashboard
Throttle, core temp, memory, disk, time sync, active links, and every peripheral — at a glance, in the terminal or the browser, over the same single API. The engagement state is always front-and-center: SAFE MODE until you say otherwise.
+ // remote access — tailscale
The deck joins your private Tailscale tailnet, so the web dashboard and the terminal UI are reachable from your laptop anywhere — WireGuard-encrypted end-to-end, no port-forwarding, no public exposure, scoped by tailnet ACLs. Leave it running headless in the field and operate it from your couch. Every screen on this page was captured exactly that way: over SSH, across Tailscale.
# from your laptop, on the tailnet → ssh sem@warlock → warlock-tui # the full HUD → warlock-chat # the AI operator # web dashboard, same private net: → http://warlock:7777
01 // WaRL0c — the AI operator
An on-device AI that reads the deck's live state and guides you through an engagement — then drives in-scope operations on your behalf. It can't act outside an active engagement, it can't arm one itself, and every action it takes goes through the same gate you do.
02 // mesh — off-grid comms
Meshtastic over LoRa turns the deck into a node on a long-range, low-power mesh — here, 52 nodes in view. Coordinate with other operators and decks in air-gapped or infrastructure-down situations: no cell, no Wi-Fi, no internet. See SNR, hop count, and battery per node; broadcast to all or DM one.
03 // wireless recon
Monitor-mode survey on the MediaTek MT7961 — access points and clients with channel, encryption, and signal, plus handshake and PMKID capture for later offline analysis. Passive by default; this is situational awareness, not attack.
04 // offensive wireless — gated
Deauth, evil-twin, karma, WPS — the offensive toolkit is refused (403) until an engagement is active and the target is in scope. No engagement, no offense. This isn't a setting you can forget to turn on; it's the default state of the machine.
05 // software-defined radio
RTL-SDR receive for ADS-B aircraft tracking, rtl_433 sensors, and tunable presets — plus HackRF for capture, analyze, and replay. Receiving is always on; transmitting (replay) is hard-gated on an active engagement and a named in-scope target.
06 // GPS + precision time
A u-blox receiver with 1-PPS feeds position and disciplines the system clock through chrony, so your audit timestamps stay accurate even with no network time source. Critical when the records have to hold up later.
07 // network recon & defense
ARP discovery enumerates the local subnet with vendor fingerprints, while a baseline-and-diff monitor raises defense alerts on MAC changes, new hosts, and new services — blue-team by default. Wide or non-local port scans require an engagement; own-network monitoring is always allowed.
08 // server audit
nmap-vuln, nikto, lynis, and SSH-config review against the hosts you manage. Remote audits are engagement-gated; local hardening (lynis) always runs. SSH passwords are passed by environment and never written to the audit log.
09 // the engagement gate — the receipts
Arm an engagement with an explicit scope, and the deck enforces it on every action — even when the AI makes the request. The audit log is the proof: here, real scope.violation … refused rows where the gate stopped an out-of-scope deauth, nmap, hashcat, and reaver. Each record is signed (Ed25519 / did:web) so a third party can verify it offline.
Every screen above runs on a deck you assemble yourself, from a documented bill-of-materials. Open, free, authorization-first.
