Trust Kernel

The trust kernel is the load-bearing wall of the platform: a small, separately deployed policy engine that sits between every run and everything the run wants to touch. Nothing reads the context graph, calls a tool, or sends a byte outside your project without the kernel checking the scope on the key that started the run. The design is deliberately unintelligent — the kernel does not reason, negotiate, or make exceptions, because a security layer that can be argued with by a language model is not a security layer. Scopes are granular (calendar:read is not calendar:write; finance:read does not imply documents:read) and deny-by-default. Consequential actions — payments, external sends, deletions — can be marked approval-required per project, which suspends the run at that step until a human approves it in the dashboard or via the API. Every decision the kernel makes, allow or deny, is written to an append-only audit log that even project admins cannot edit; deletion of your data removes the data, never the record that an access was attempted. The kernel is also where data-boundary promises are enforced: no training on customer data, regional pinning, and hard tenancy between projects are kernel-level invariants, not application-level habits.