How it works

A governed, zero-knowledge conduit into any VPC.

The hard part — the sealed, attested, hub-blind conduit — is built once to a higher bar than anything else. Everything that rides it is just cargo.

The topology

You run the hub. The embassy dials out to you.

Legation system topology An operator C2 console drives an active/active, multi-region routing hub that holds no key and cannot read traffic. The hub fans out over dial-out WebSocket (wss) links to embassies inside multiple, isolated customer VPCs (zero inbound ports); each embassy cryptographically authenticates to register before the hub will route to it. Each embassy executes in place against the customer's data; sealed tasks go down and only structure-only projections come back up. The data never leaves any VPC, and the customer holds a dual Recall the operator cannot override. OPERATOR CONSOLE · C2 see the fleet · task · dual Recall · Dispatch inference + your IP stay control-side control · signed tasking ROUTING HUB · ACTIVE / ACTIVE · HOLDS NO KEY HUB · region A HUB · region B ↔ replicated lose a region — governance never blinks CUSTOMER VPC EMBASSY executes in place ● data never leaves dials OUT ↑ · no inbound ports CUSTOMER VPC EMBASSY executes in place ● data never leaves dials OUT ↑ · no inbound ports CUSTOMER VPC EMBASSY executes in place ● data never leaves dials OUT ↑ · no inbound ports ↓ sealed tasks · ↑ projections (structure only) · SEAL · TREATY · DUAL RECALL The IP never leaves — because the inference never sees it.
The core trick

Invert the data flow.

Don't move the data to the app — move the app's tool calls to the data. The brain stays out; the hands execute next to the data; only redacted, structure-only projections cross back.

The IP never leaves because the inference never sees it — a far stronger claim than "we encrypt the tunnel."

It's also the same mechanism that satisfies GDPR data-minimisation, HIPAA minimum-necessary, and PCI "never persist card data." One architecture, many checkboxes.

The IP — the sealing ingress

Five things at the border. Then the hub goes blind.

Where any app's traffic enters the link. The routing hub holds no key and cannot decrypt — proven cryptographically, both directions.

Govern

The treaty applies here — content-type check + sensitivity classification — before anything is sealed.

Project

Data-flow inversion per policy: pass raw, structure-only, verdict-only, or withhold. Secret-bearing content is force-withheld.

Seal to the destination

Anonymous sealed box — ephemeral X25519 ECDH → HKDF-SHA384 → ChaCha20-Poly1305. Only the destination's private key opens it.

Attest

Signed provenance: content hash, treaty id + digest, sensitivity class, projection mode, timestamp.

Sign

Ed25519 over the whole envelope — proving the ingress's identity and integrity to the destination.

Why "endless possibilities" is literally true

One conduit. Any cargo.

The ingress seals opaque bytes — it has no idea what protocol rides inside. Cargo differs by only two things: a content-type tag and a projection mode. So the same seal/open/project carries:

One sealed conduit carries any cargo A single sealed, hub-blind conduit carries many cargo types — agent-to-MCP, MCP-to-MCP, A2A, QA, pentest, and any app-to-app — distinguished only by a content-type tag and a projection mode. agent ↔ MCP MCP ↔ MCP A2A ↔ A2A QA pentest any app one sealed, hub-blind conduit · content-type tag + projection mode · add a cargo type in an afternoon

The hard part is built once

The governed, zero-knowledge, attested conduit — to a higher bar than anything else. This is the moat.

The easy part is a thin layer

A new cargo type is a typed adapter you add in an afternoon. Endless cargo, one conduit.

The moat

Governance is the product, not the wrapper.

Enforced on their soil

The treaty is compiled, both-sides-signed, and enforced inside the customer's own VPC. They verify the agent can't exceed it; you can't override it.

Blind by cryptography

The hub routes ciphertext it can't read. Not policy — math. Tested.

Built hardest-first

The DoD tier was built first. Everyone else has to come up — years of security engineering. You come down.

See it provably compliant — answers up front.

The compliance posture → The platform