Architecture

The Architecture of Verifiable Enforcement.

Three tiers, two privilege rings. Each tier enforces where it can reach. All three share one cryptographic audit record you can verify yourself — without having to trust us.

How tiers map to layers

Tier 01Ring-3 · SDK

Observe in your SDK

Tier 02Ring-3 · SDK

Enforce in your SDK

Tier 03Ring-0 · Kernel

Enforce in the kernel

LedgerShared

One signed audit record

Tier 01Ring-3 · SDK · observe-only

Agent SDK — Observe

SDK-Side Observability (Observe-Only)

The free, open-source SDK runs in-process in user-space (Ring-3). It wraps any agent call with shield(), threads a trace_id through the full async call-tree, and emits metadata-only telemetry. This is the SAME SDK as Tier 02 with enforcement switched off — it observes and reports, it never blocks. Prompt and completion content never leave your environment.

shield() / getCurrentTraceId

Wraps any async agent call and generates a VANTIO_TRACE_ID, propagated via AsyncLocalStorage to every async hop and spawned child call — no monkey-patching, no AST modification, no global state.

reportAnomaly()

Emits structured, metadata-only events (target_host, bytes_severed, pid, action_taken). Zero linguistic content ever reaches the ledger; prompts and completions are architecturally excluded.

observe-only

No policy is fetched and nothing is blocked — the SDK records what happened. Turn on Tier 02 to make the very same SDK enforce client-side.

Deploy: npm i @vantio/agent-sdk or pip install vantio-agent-sdk. Set VANTIO_API_KEY — 10,000 events/month free. No infrastructure, no proxy, no code changes.

Tier 02Ring-3 · SDK · enforce

Oracle Policy Plane

SDK-Side Policy Enforcement

For Tier 02 deployments without kernel access, Vantio enforces policy inside the customer's own SDK/CLI — not as a network proxy. The cloud stores a policy you control and receives metadata-only telemetry; prompt and completion content never reach Vantio. Set one environment variable and the SDK redacts PII, caps spend, and blocks off-policy hosts locally before any request leaves your environment:

VANTIO_CLOUD_INGEST=true

The SDK pulls your cloud-managed policy from /api/v1/config and enforces it in-process. Outbound LLM calls go directly to the provider — never routed through Vantio. If the policy fetch fails, the SDK fails open and observes only.

redact_pii / blocked_hosts

Policy-driven redaction and host blocking run client-side. blocked_hosts/allowed_hosts apply to any named host (not just known LLMs); off-policy requests are stopped locally and logged as BLOCKED_HOST — metadata only, no content.

Rate limiting

100 requests/minute per API key enforced at Vercel Edge via Upstash Redis — before any Supabase query. Protects infrastructure budget during load spikes.

Deploy: No infrastructure required for Tier 02. Set VANTIO_API_KEY and VANTIO_INGEST_URL — the CLI instruments Node.js processes in-process via NODE_OPTIONS (--require) injection, not a proxy. Enforcement fails open if the control plane is unreachable — a Vantio outage never blocks your agent.

Tier 03Ring-0 · Kernel

Phantom Engine

eBPF Kernel Enforcement

Pure Rust eBPF programs compiled to bpfel-unknown-none and loaded into the Linux kernel via Aya. Only enrolled workloads — matched by cgroup via Kubernetes labels/annotations — are enforced; all other host traffic is passed through untouched. For enrolled agents, activity is intercepted at kernel hook boundaries — tracepoints, uprobes, and a TC egress classifier — before it can affect the host filesystem, network, or external state. The programs run simultaneously:

sched_process_fork

BTF tracepoint — inherits trace_id from parent to all child PIDs. LLM agents that spawn bash, curl, or python subprocesses are covered without re-seeding.

ssl_write uprobe

Attaches to SSL_write in libssl.so.3 and gnutls_record_send in libgnutls.so.30. Intercepts the egress buffer before encryption — full TLS coverage across OpenSSL and GnuTLS (the default curl backend on Ubuntu). Records PID, trace_id, bytes, and target host.

execve / openat

Syscall tracepoints (sys_enter_execve, sys_enter_openat) attribute every subprocess spawn and file open to a trace_id. Each event carries a type discriminant so it is never confused with a TLS record on the shared ring buffer.

tc_enforce

TC egress classifier on the network interface. For enrolled cgroups, drops packets to non-allowlisted destinations (TC_ACT_SHOT) across both IPv4 and IPv6 — RFC-1918 plus IPv6 ULA/link-local matched via bitmask, so resolving an AAAA record cannot bypass enforcement. Traffic from unenrolled workloads is never dropped.

Shadow AI detection

Any process on an enrolled node that initiates outbound traffic to a known LLM endpoint (OpenAI, Anthropic, Bedrock, etc.) without a valid trace_id is flagged — including processes that have no SDK instrumentation at all. This maps your full AI attack surface, not just the agents your team officially deployed.

Deploy: De-privileged Kubernetes DaemonSet (one pod per node) or bare-metal Linux. Runs with minimal Linux capabilities (CAP_BPF, CAP_NET_ADMIN), a seccomp profile, and a read-only root filesystem. Per-agent enrollment via Kubernetes labels/annotations. Compatible with EKS, GKE, AKS on kernel ≥ 5.8.

SharedAll tiers · compliance substrate

Anomaly Record

Cryptographic Compliance Ledger

A shared component written by every tier. Every event — observed, allowed, redacted, or blocked — is committed to the compliance ledger as a structured, HMAC-signed, metadata-only record. Two substrate modes:

SOVEREIGN_MODE=cloud

GCP Spanner TrueTime WORM ledger (allow_commit_timestamp=true). Globally consistent timestamps. The ingest service account holds strictly append-only INSERT privileges.

SOVEREIGN_MODE=local

NDJSON file output (--output-file). Compatible with the gcloud spanner import format for air-gapped environments. Immutable on local disk before upload.

x-vantio-signature

HMAC-SHA256 receipt over the event trace ID, keyed by the tenant's API key and returned on every ingest. Events are cryptographically receipted and verifiable without trusting the ledger.

Deploy: schema/spanner_ledger.ddl defines the TrueTimeLedger table. The ingest service account requires only INSERT privileges — no SELECT, UPDATE, or DELETE.

Technology Stack

Component	Technology	Purpose
eBPF Runtime	Aya 0.13 (Rust)	Ring-0 map/program loader
eBPF Target	bpfel-unknown-none	Bare-metal BPF ELF
Kernel min	Linux 5.8+	Ring buffer + BTF support
User-space	Tokio async	Non-blocking ring drain
Ledger	GCP Spanner	TrueTime WORM + SOVEREIGN_MODE
API runtime	Next.js 15 Edge	Vercel global edge network
Auth	Supabase magic link	Zero-password, session-scoped
Supply chain	SLSA Level 3	Sigstore + Rekor attestation
Shadow AI detection	eBPF process monitoring	Flags unenrolled processes calling LLM endpoints

Start with the Free SDK Deploy the Enterprise Stack →