From commercial bolt-on to DoD sovereign.
| Tier | Brain runs | Control link | Key custody | Crypto | Operated by |
|---|---|---|---|---|---|
| Bolt-on | control plane (inverted) | live, dial-out WS | software | classical | you (managed) |
| Regulated | customer endpoint (BYO) | live + store-forward | HSM / KMS | FIPS | you (managed BYOC) |
| Sovereign | in-VPC local model | offline signed artifacts | hardware-bound | post-quantum | them (shipped) |
One binary, one dial. The envelope hardened to clear a SCIF is the same envelope that lands in a commercial VPC — you just turn the dial down. A SOC 2, PCI-DSS, or HIPAA buyer sets the tier to Bolt-on or Regulated and inherits the DoD-grade posture by construction: the CNSA SHA-384 seal, the treaty enforced inside their own VPC, dual Recall they hold, and a metadata-only audit trail — without the DoD price or complexity. The tier sets the floor; nobody pays for a SCIF to protect a payments workload, and nobody ships the DoD a commercial bolt-on.
Every component — built, tested, and green.
The conduit — the IP
legation-ingress — govern → project → seal-to-destination → attest. Hub-blind, crypto-proven.
legation-mcp — MCP surface + stdio adapter; A2A-ready.
The envelope — the moat
legation-seal — sealed bag, SHA-384 Merkle + Ed25519.
legation-enclave — dual Recall, inversion, gate, extraction, sensitivity, QA.
legation-manifest — the tier dial + cargo + treaty.
The control plane
legation-c2 — dial-out WS, multi-tenant, store-forward.
legation-link — Seneschal gate + Recall.
legation-console — password-gated operator Console: live fleet, per-embassy posture, task, dual Recall.
legation-serve — the runnable embassy.
The proof
legation-compliance — 31 frameworks + the self-audit package.
legation-cli — seal · verify · extract · evidence · audit.
The installer
L6 hardened Dockerfile (FROM scratch, static musl, STIG) + tier-dialed Helm chart + Terraform — lands the embassy in a customer's EKS/k8s.
Built & green
16 crates · 260 tests, green. clippy -D warnings clean, cargo fmt clean, and forbid(unsafe_code) across the workspace. Not a prototype — a hardened platform.
Endless cargo on one sealed conduit.
Agent ↔ MCP
The customer's agent points at an MCP endpoint; it reaches the client's real MCP servers, governed.
A2A ↔ A2A
Governed agent-to-agent across the membrane. Same seal/open — swap the payload type.
QA-in-VPC
An assurance harness runs in the VPC; only the pass/fail verdict crosses. Never the code.
Pentest node
Spawn security tools in-VPC, project the findings. Same exec-and-project pattern. (possible)
The conduit is protocol-agnostic. If it speaks MCP, A2A, or anything with a wire format — it's just sealed cargo with a content-type tag.
The pieces that make it the standard, not just a product.
Agent identity (NHI)
SPIFFE-aligned, short-lived, scoped, attested, rotatable, revocable identity for every agent — the "ID" pillar of zero trust. 95% of enterprise traffic is non-human; Legation is the chokepoint that governs it. legation-identity
Confidential clean rooms
Multiple parties bring data and agents that meet inside a TEE-attested enclave no party — nor the operator — can read. Governance on confidential computing, not a clean-room vendor. legation-cleanroom
The assurance pack
Continuous OSCAL · verifiable AIBOM · insurance-readiness · decision replay · lethal-trifecta attestation — every artifact a regulator, auditor, or underwriter ingests. legation-compliance
Honest scope: the operator and hub are cryptographically blind to the data at every tier; the operator's IP is protected from a malicious host by hardware (TEE) at Sovereign, and by obfuscation + contract below it. We state the line precisely — that's the credibility.
Hosted where the government already trusts. AWS GovCloud (US).
The control plane runs in AWS GovCloud — the isolated region built for the most sensitive U.S. workloads. It's not a logo on a slide; it's the posture that lets a federal program office say yes.
FedRAMP High
Operated in the region authorized for High-impact federal data — the bar most "gov-ready" vendors never clear.
DoD SRG IL2–IL5
Impact Levels 2 through 5 for Controlled Unclassified Information and mission systems; the Sovereign tier targets IL5+.
ITAR / EAR · US-persons
Export-controlled-data eligible; operated by vetted U.S. persons in physically isolated U.S. infrastructure.
FIPS 140 endpoints
FIPS-validated cryptographic endpoints end to end, aligned with the CNSA-2.0 primitives Legation already uses.
Iron Bank accredited
The runtime images target Platform One's Iron Bank — a Certificate to Field a customer program inherits, collapsing their ATO from months to "pull the approved image."
Hybrid post-quantum — Sovereign tier
All hashing is SHA-384 (CNSA 2.0). At the Sovereign tier, signatures upgrade to a hybrid — Ed25519 + ML-DSA — secure if either the classical or the PQ primitive holds. Classical Ed25519 at Bolt-on and Regulated; PQ-ready by construction.
Data residency by region
Available in AWS GovCloud (US) for federal / DoD and AWS EU regions for GDPR residency. Your data stays in the jurisdiction it's legally bound to — by deployment, not by promise.
When you tell a CISO or a contracting officer "the control plane lives in GovCloud, the runtime is Iron Bank–accredited, and the crypto is post-quantum-ready," the conversation changes. That's the point — it makes the statement that we mean business.
Built to be run by a real security team.
Not a demo that needs hand-holding. Legation ships with the operational rigor a regulated platform team expects — and a full runbook your engineers get on deployment.
L6-hardened runtime
Containers built FROM scratch, static musl, RELRO + NX, non-root, read-only root FS, custom seccomp, STIG-aligned. No shell, no package manager, minimal attack surface.
Verifiable supply chain
CycloneDX SBOM + cosign signatures per release, cargo audit clean, and forbid(unsafe_code) across every crate. You can verify what you run.
Gated pipeline
Every change clears automated quality and dependency-vulnerability gates before it can ship. Tagged releases auto-emit a signed image + SBOM.
HA & fail-closed
Multi-replica control plane with shared state, zone-spread, and a kill-switch that survives an outage: lose the hub and embassies stop, never run ungoverned.
Zero inbound ports
Embassies dial out — the customer VPC opens nothing. Each one cryptographically authenticates to register (Ed25519 · SHA-384 · replay-proof), so no rogue node joins the fleet. The smallest possible network footprint inside someone else's environment.
One-command deploy
L6 Docker + tier-dialed Helm + Terraform land an embassy into the customer's own EKS/k8s (BYOC). Minutes, not a services engagement.
Provable controls, signed artifacts, a gated pipeline, and HA — the table stakes most "AI" vendors skip. The detailed runbook ships with the deployment, under NDA.
Lose a server, a zone, a whole region — governance never blinks.
The control plane runs active/active across regions. An outage costs you availability, never control — and your data never leaves the jurisdiction it's bound to.
No single point of failure
Active/active across regions. Embassies dial out and auto-reconnect to the nearest healthy region — a whole region can go dark and the fleet keeps running, governed.
Fail-closed, never fail-open
The guarantee no one else makes. If the control plane is ever unreachable, the agent stops — it never runs ungoverned. The customer's Recall holds even when the hub is down. An outage degrades uptime, not safety.
Host where the law requires
Deploy in the jurisdiction your data must live in: AWS GovCloud (US) for federal / DoD, AWS EU regions for GDPR data residency. Active/active across the regions you're allowed to use.
For a regulated buyer, "it stays up" is table stakes. "It fails safe, and it never leaves my jurisdiction" is the part that closes the deal.