Deterministic control for irreversible execution

MNDe builds boundaries. Boundaries decide if execution proceeds. Refusal happens before damage, cost, or commitment.

Refuse execution by policy

Release only with explicit authorization

Produce audit ready decision receipts

Fail closed under uncertainty

Default state: REFUSE. Release requires proof.

Open contact View calculator

MNDe sits between intent and execution

Systems accept requests. Requests become actions.

MNDe inserts a boundary.

The boundary evaluates an intent against policy.

If policy fails, execution stops.

If policy passes, release occurs once, then ends.

Intent in

A structured intent describes one action. The intent stays stable. Unknown fields fail.

Decision

Policy evaluates the intent. Output equals allow or refuse. Timeout equals refuse.

Execution out

Release occurs once. Logs include refusal reason codes or release proof.

Deployment points

Place MNDe at the last safe point before irreversible execution.

Schedulers

Control GPU jobs, batch runs, and queue admissions with a refuse first boundary.

CI and release

Block deploys, migrations, and privileged scripts until intent and policy match.

Robotics and automation

Gate motion, actuation, and process start. Refuse on missing preconditions.

Data movement

Gate deletion, export, and irreversible transforms. Require explicit release authority.

Products

Orbit

A deterministic intent format for one action.

•Fixed schema versioning.
•Cryptographic signing support in spec.

Output artifact:

Intent JSON plus signature.

ARMS

A release authority mechanism with fail closed behavior.

•Armed then released lifecycle.
•One time release tokens with expiry.

Output artifact:

Release record with token id.

ACRL

A refusal layer for GPU and compute execution.

•Deny execution without budget owner and limits.
•Block idle, oversized, or untagged work.

Output artifact:

Refusal receipt with reason code.

RIP

Receipts and immutable proofs for decisions.

•Signed decision receipts.
•Stable reason code taxonomy.

Output artifact:

Receipt bundle, json plus hash chain.

ACRL calculator

Estimate waste eliminated through refusal rules. Outputs align with operators and finance.

Cluster GPU count

Average GPU hourly cost ($)

Average utilization percent (%)

Idle percent of allocated time (%)

Over request percent (%)

Unowned jobs percent (%)

Enforcement coverage percent (%)

Annual GPU hours

560,640

GPU count * 24 * 365

Allocated hours

291,532.8

Annual GPU hours * utilization %

Waste hours

142,851.072

Allocated hours * Σ(waste categories) %

Prevented waste hours

99,995.75

Waste hours * coverage %

Annual dollars saved

$274,988.31

Prevented waste hours * avg cost

Equivalent GPUs freed

11.42

Prevented waste hours / 24 / 365

Refusal drivers

Idle allocation refusal
Over-request normalization
Unowned workload eviction

What you receive

MNDe produces proofs. Proofs support audits, incidents, and change control.

Refusal receipt

Reason code, policy id, intent hash, timestamp, signer id.

Release record

Release token id, expiry, intent hash, policy id, signer id.

Change trace

Policy version, diff hash, approval ids, activation time.

Security posture

Fail closed on parse errors.
Fail closed on timeouts.
No silent policy edits.
Signed policy bundles.
Stable reason code set.
Receipt hashes for tamper evidence.
Minimal data retention by default.
Operator override requires one time signed token.

FAQ

Q: What problem does MNDe solve

A: Irreversible actions run without sufficient checks. MNDe blocks execution until policy passes.

Q: What changes for operators

A: Operators gain a single boundary. The boundary returns allow or refuse with proof.

Q: What happens during failure

A: The boundary refuses. Systems stay safe. Recovery uses explicit override tokens.

Q: How does MNDe reduce cost

A: ACRL refuses waste patterns. Examples include idle allocation, oversized requests, missing ownership, missing limits.

Q: What data does MNDe store

A: Only intents, decisions, and receipts. Payload content stays out unless policy requires fields.

Q: How does adoption start

A: Start with one queue or one pipeline. Enforce tags, limits, and ownership. Expand after stable results.

Q: What proof exists for audit

A: Signed receipts, stable reason codes, policy ids, and intent hashes.

Q: What stops bypass

A: Place MNDe at the last enforcement point. Track bypass paths. Enforce coverage expansion by policy.

Contact

Describe the boundary. Share the execution point. Provide one sample intent. Request a refusal taxonomy.