Back

Architecture Philosophy

Three projects. One stack.

Security enforced at every layer.

Warden, Covenant, and Watershed were built independently but fit together as a coherent infrastructure story — edge telemetry that survives connectivity loss, access control that keeps policy out of the model, and runtime security that detects and remediates without waiting for a human. Each layer is a deliberate constraint on where AI is allowed to operate and what it is allowed to decide.

Full Stack — Edge → Access Control → Runtime

48V CAN / HTTPS / MQTTEDGEWatershedSQLite Bufferoffline storageMQTT BrokerMosquittoAWS IoT Corecloud syncClaude Sonnetanomaly detectionEdge-resilient telemetry. Operates during network partition.ACCESSCONTROLCovenantRequestJWT claimsOPA Rego Gatehard denypgvector Searchtenant_id scopedClaude Sonnetpermitted contextPolicy enforced before AI runs. Hard gate, not a soft check.RUNTIMESECURITYWardenK8s WorkloadsubmitOPA GatekeeperadmissionFalco eBPFruntimeFalcosidekickforwardingClaude SonnettriageAuto-patch<3 secondsTwo-layer K8s security. Detect and remediate within 3 seconds.

Design Principles

Policy before AI

AI is a reasoning layer, not a gatekeeper. In Covenant, OPA Rego makes the hard access-control decision before Claude ever sees a query. The model can't grant what policy already denied — which means the safety invariant holds even if the model is wrong.

Edge-first resilience

Connectivity loss isn't an edge case in agricultural and remote environments — it's the baseline condition. Watershed buffers locally in SQLite and syncs when a path is available. The telemetry pipeline keeps running whether or not a cloud endpoint is reachable.

Runtime over perimeter

Preventing bad configurations at admission (OPA Gatekeeper) is necessary but not sufficient. Warden adds Falco eBPF syscall probes so that anomalous behaviour after a workload is admitted is detected and remediated within 3 seconds — without waiting for a human on-call.

The Projects

Runtime Security

Warden

Self-healing Kubernetes security agent. OPA admission control + Falco eBPF runtime detection + Claude triage → auto-patch in under 3 seconds.

Access Control

Covenant

Policy-enforced AI access control. OPA Rego is the hard gate before Claude — the model only ever sees what the identity policy already permitted.

Edge Telemetry

Watershed

Edge-resilient IoT pipeline. Offline SQLite buffer, MQTT ingestion, AWS IoT Core sync, and Claude thermal anomaly detection — survives network partition.

View all projects →