Three components. One atomic operation. Zero trust required at any layer.
Pure Rust eBPF program compiled to bpfel-unknown-none and loaded into the Linux kernel via Aya. Every agent syscall is intercepted at the LSM hook boundary before it can affect the host filesystem, network, or process table. Zero dependencies. No runtime. No bypass surface.
Your governance policy compiled to a RISC Zero zkVM guest program and executed in a deterministic execution environment. The synchronous policy evaluation (Wave Function Collapse) completes with microsecond-scale blocking on the critical path; Groth16 zk-SNARK proofs are generated asynchronously off the critical path via a zk-Rollup Merkle batching architecture — events accumulate into batches of up to 100, the per-event hashes fold into a single Merkle root, and one proof commits per batch root. This compresses Prover COGS by a constant factor proportional to batch size, reducing per-event Prover cost by ~99% in steady state.
A cryptographically sealed, append-only compliance receipt. SOVEREIGN_MODE bifurcates the substrate: cloud-native deployments commit to GCP Spanner with TrueTime timestamps; sovereign / air-gapped deployments append to a localized WORM ledger inside the customer perimeter. Schema-enforced immutability either way.