The point of AI remediation is trusting it at 3AM. That trust isn’t a promise — it’s enforced, layer by layer, between any actor and your clients’ endpoints.
Each layer holds independently once live. Three of five are enforced in production today — Ed25519 signing, typed-operation execution, and Decision-Engine risk scoring all sit on the hot path of every command, so a valid signed command still can’t skip the risk gate.
WireGuard mesh transport and mTLS have their keys and certs issued at enrollment today; wiring up verification on the transport itself is next. We’d rather tell you exactly where the line is than round up.
The decision engine scores every proposed action across five dimensions — reversibility, blast radius, criticality, change category, confidence — into a single 0–205 score. The score decides the path:
The audit trail is hash-chained — every entry’s hash is computed from the previous entry’s hash plus its own payload, so tampering breaks the chain instead of hiding in it.
Real event types, not paraphrases: drift.detected, decision.assessed, approval.requested/approved, command.authorized. When a client asks “what happened at 3AM?”, that’s the actual log you show them.
Row-level security is enabled and forced on every tenant-scoped table. The application role carries NOBYPASSRLS — even a bug in our own code can’t cross tenants. Missing tenant context returns zero rows, not all rows. Above that sits RBAC: two system roles and seven tenant roles, checked against every route.
Per-tenant token budgets are enforced in the orchestrator. At 100% of budget, the platform automatically downgrades to on-device local AI — triage keeps working, the bill doesn’t grow. Bring any OpenAI-compatible provider: Claude, GPT, Ollama.