The design layer candidate
The tools do not operate over “the enterprise.” They operate over a system someone composed on purpose — its boundaries, identities, relationships, and the evidence that would count for each. That composition is real, and it is currently unwritten: it lives in doctrine and in the operator’s head. Every tool below re-derives it by hand.
Writing it down is the missing layer. An authored, versioned design; validated and ratified rather than silently amended; compiled into the bounded view each tool is competent to consume; then compared against what was actually witnessed. The verbs already exist across the constellation. The noun does not.
What it would buy: a declared surface to name (“the public edge”) instead of a list of hostnames pasted between tools; a comparison of declared structure against admissible observation, where divergence is a finding rather than a silent widening; and authority that binds to an exact design revision, so a changed system does not inherit the old permission.
One narrow case already runs
A firewall rule is a small declaration: this traffic is refused. nq can read that rule over a read-only connection and probe the path from a named vantage point — and then refuse to let the declaration and the observation be quietly merged into one story. It is not a firewall test. nq never rules the firewall correct or broken; it holds the two apart and says which one it actually saw.
The discipline is in what it will not say. A rule that does not match is cannot testify, never “allowed.” A blocked path proves nothing by itself — a dead vantage point looks exactly like a working rule — so “blocked” is only admissible alongside a control probe to a known-reachable target proving the vantage had a way out at all. Only a real completed handshake to a declared-denied address is an unambiguous contradiction; a rejection packet is not a way through. The verdicts are typed and there is no is_ok() — a test asserts the receipt contains no healthy and no green.
Pointed at a real firewall — a blocklist rule with 17,007 entries behind it — the answer was cannot testify: the rule was present and readable, the vantage had ordinary egress, and the path itself was deliberately never probed, because probing it means firing a packet at a named malicious host to make a demo look better. The verdicts that would be interesting exist only on a scratch firewall built for the purpose, and the got-through case had to be staged with a deliberately broken rule. nq has never caught a real firewall failing to enforce a real block. It has shown it would notice.
Status: named, not ratified. No implementation, no schema, no wire format — the filing is a handle for review, not authorization to build. It is on this page because the recognition is real and the site records direction honestly, not because anything ships. The firewall probe is one rule at a time, with none of the design layer above it: evidence the comparison is worth generalizing, not evidence that it exists. Nothing above the line is built.
The assurance and custody kernel
The layer that does exist, in parts. The edges are the product; the components implement them.
Not a policy engine. Not a hosted platform. Not an AI-safety oracle.
Select an edge for the claim it enforces. Solid shipped; dashed mapped, not built — including the design layer upstream. Drill runs demonstrate structure — they cannot confer operational effect.
Components — what each handles, and what it refuses
Python libraries and CLIs you self-host. nq is one binary; verifier ships a Z3 sidecar; Lean is for proof artifacts (read-only audit, not runtime). No SaaS, no hosted control plane. Badges: operational in daily use · research exploratory.
- handles
- observation→claim preflight for operational systems
- refuses
- assertion that abandons its evidence
- proof
- SQL-interrogable evidence store; every claim traceable to its observation
- inquiry
- Ask a question with a budget attached. You write the question down first — which targets, what limits, what deadline, and, up front, what this question cannot answer. Then reading is spending: attempts are counted and capped before the first DNS lookup, and a failed attempt still costs. In the worked certificate example the entire authorized budget is four work units and 750 milliseconds. The answer comes back sealed, with the evidence, the spend, and the refusals attached — and what it found cannot fund whatever you ask next.
- handles
- premise preflight for agentic intents
- refuses
- intents from revoked or out-of-scope actors
- proof
- spec harness; typed preflight verdicts
- handles
- permission and entitlement observation
- refuses
- attesting permission it cannot verify
- proof
- permission receipts with observation age
- handles
- deferred governed work
- refuses
- completion claims without reconciliation
- proof
- work receipts; reconciliation trail
- handles
- sits between an AI coding agent and its keyboard. Every action — writing a file, running a command — asks first. You approve, deny, or let read-only stuff through.
- refuses
- agent saying “done” treated as operator approving; tests passing treated as code ready to land; a rehearsal treated as production; permissions used after they expired
- proof
- golden refusal corpus; content-addressed receipts; Lean-audited class boundaries
- receipt
dda5a1e5…— permission valid at check, expired at action, gap on a named clock. Reproduce:demo/refused-spend.sh
- handles
- governed state persistence across sessions
- refuses
- state mutation without a receipt
- proof
- hash-chained receipts
- handles
- formal constraint checks (Z3 sidecar)
- refuses
- proposals that violate declared constraints — specimen: the stale-standing denial
- proof
examples/stale-standing-denied.json+ golden output pinned to the README
Projects
Outside the core stack: supervised runs, field labs, and one-off experiments. Core components are listed above.
Supervised runs
Where you supervise an AI coding agent through agent_governor.
Field lab — ATProto / Bluesky
A live network where custody, receipt, drift, and moderation claims get stress-tested in public. Not the core stack; the place the core stack meets weather.
Other
Research
The papers name the failure classes; the tools above carry the response. The Δt series is scaffolding for the check-vs-action logic in standing and agent_governor. Some of this work is theoretical only; not everything here has an instantiation yet.
Selected papers below — full list in the papers repo.
Temporal Coherence & Δt Theory
Selected claims from this series are formally audited in Lean — see unpingable/lean (proof reader’s portal).
- Δt-Constrained Inference: A General Model of Temporal Coherence in Hierarchical Systems
- Detecting Temporal Debt in Language Models and Software Systems
- Temporal Closure Requirements for Synthetic Coherence
- You Need More Than Just Attention: Invariant Requirements for Temporal Coherence in AI Systems
- The Temporal Attack Surface: A Δt Framework for Asynchronous Security Systems
- Temporal Asymmetry in Censorship Systems
- The Gain Geometry of Temporal Mismatch: Shear, Leverage, and Capture in Multi-Timescale Systems
Systems & Institutional Dynamics
- Control Laws for Hierarchical Kinetics: Design Principles for Multi-Timescale Systems
- The Coherence Criterion: A Unified Framework for Stability in Hierarchical Systems
- The Second Law of Organizations: How Temporal Lag Drives Irreversible Institutional Decay
- Capacity-Constrained Stability: A Control-Theoretic Framework for Institutional Resilience
- Cybernetic Fault Domains: When Commitment Outruns Verification