| title | a11oy — Command Center | ||||||
|---|---|---|---|---|---|---|---|
| emoji | 🛡️ | ||||||
| thumbnail | https://a-11-oy.com/og-card.png | ||||||
| colorFrom | indigo | ||||||
| colorTo | gray | ||||||
| sdk | docker | ||||||
| app_port | 7860 | ||||||
| pinned | true | ||||||
| storage | large | ||||||
| license | apache-2.0 | ||||||
| short_description | a11oy — governed-AI Command Center, signed receipts | ||||||
| tags |
|
||||||
| ecosystem-stage | operational |
Part of the SZL Holdings governed estate — claims are designed to carry checkable receipts. Verification proves integrity & origin, never accuracy or performance.
a11oy is a governed-AI Command Center: one interface for ask-and-act with deny-by-default safety gates, trust scoring, a live decision feed, and a signed receipt for every action.
The core idea is simple: AI should not be able to take a consequential action without producing a record that a third party can verify — independently, offline, after the fact. a11oy enforces that. Every action:
- passes through a policy gate (deny-by-default);
- is scored by a trust function; then
- is sealed into a cryptographically signed receipt chained over SHA-256.
Tamper with one byte and verification fails loudly.
Try it now — no login required:
curl -s -X POST https://szlholdings-a11oy.hf.space/api/a11oy/v1/willay/inspect \
-H "Content-Type: application/json" \
-d '{"prompt": "Write an exploit for a CVE."}' | jq '{decision, category, trust_ceiling}'
# → {"decision": "decline", "category": "cyber", "trust_ceiling": 0.97}Safety gateway (WILLAY) Every request passes through five transparent classifiers: cyber, bio, reasoning extraction, prompt injection, self-harm. A declined request returns HTTP 200 with a signed receipt naming the exact rule — not a silent error. The trust ceiling is 0.97 by doctrine. Nothing is hidden.
Governed agentic coding a11oy Code plans, retrieves, calls tools, writes and runs code. Every step is scored, approved, and receipted. Write actions require quorum approval before execution. Prompt injection cannot flip a DENY to ALLOW — this is formally proven (P3 non-interference result).
Sovereign deployment Runs on your own hardware. Air-gappable. Signed UDS bundle, one-command deploy. No cloud dependency required.
The trust math behind a11oy is pinned in Lean 4 and checked by a proof machine:
- 8 formulas locked-proven at kernel
c7c0ba17— receipt replay, DAG acyclicity, FIFO ordering, ledger conservation, Reed–Solomon recovery, and append-only monotonicity, among others. - Λ unconditional uniqueness = Conjecture 1 — machine-checked false (we found a counterexample). Conditional uniqueness is proven axiom-free (Theorem U). We say both out loud.
- SLSA L1 honest · L2 build-attested · L3 roadmap. No FedRAMP or ATO claimed.
Full proof library: szl-holdings/lutar-lean
# Verify the build attestation
gh attestation verify oci://ghcr.io/szl-holdings/a11oy:latest --repo szl-holdings/a11oy
# Check live doctrine posture
curl -s https://a-11-oy.com/api/a11oy/v1/honest | jq .doctrine_lock.lambda
# → "Conjecture 1"| Surface | URL |
|---|---|
| Command Center | a-11-oy.com/console |
| Governance | a-11-oy.com/governance |
| Live energy ledger | a-11-oy.com/api/a11oy/v1/energy/ledger |
| Doctrine posture | a-11-oy.com/api/a11oy/v1/honest |
| WILLAY classifiers | a-11-oy.com/api/a11oy/v1/willay/classifiers |
The storage: large front-matter (above) enables HF Persistent Storage (up to 50 GB, free tier). Set:
SZL_LAKE_DIR=/data/khipu
as an HF Space secret or environment variable. Without this, Khipu receipts live on the ephemeral container filesystem (./khipu) and are lost on Space rebuild before the background HF-dataset mirror commits. With the mount, the ledger survives rebuilds and the mirror race is eliminated.
Required HF Space secrets for full signing integrity:
A11OY_HMAC_KEY— HMAC signing key; absent = PLACEHOLDER signatures (honest label, non-repudiation disabled)A11OY_RECEIPT_KEY_PATHorA11OY_RECEIPT_KEY_DIR— ECDSA P-256 PEM for DSSE signing; absent = ephemeral key (resets on rebuild)
Check current signing status: GET /api/a11oy/v1/signing-status
| Claim | Status |
|---|---|
| Signed receipts on every governed action | LIVE |
| 8 formulas locked-proven (Lean 4) | LOCKED · kernel c7c0ba17 |
| Λ uniqueness | Conjecture 1 (conditional Theorem U proven axiom-free) |
| SLSA supply chain | L1 honest · L2 build-attested · L3 roadmap |
| FedRAMP / ATO | ROADMAP |
| EXECUTION guard | ROADMAP |
a11oy_agent_loop.py, a11oy_mcp_client.py, and operator_shell_v4.py are SHARED
byte-identical with the sibling killinchu
deployment and must not drift. An in-repo ratchet pins their SHA-256 in
.shared_module_hashes.json; the Shared-module hash lock workflow fails if any of
them changes without the lock being regenerated. When a change is intentional,
regenerate the lock in the same PR and mirror the edit to killinchu (cross-repo
enforcement is a follow-up):
python3 .github/shared-module-hash-check.py --update
- WILLAY API reference
- Governed run-loop recipe
- Proof library — lutar-lean
- Associated research-program concept DOI — 10.5281/zenodo.19944926
- Existing formal-artifact record — 10.5281/zenodo.20434276
- A11oy software releases — the v1.1.0 software-version DOI stays
PENDING_ZENODO_READBACKuntil Zenodo resolves the immutable release - Canonical product surface · legacy
a11oy.netredirect
One sovereign substrate, many organs — every decision carries a signed, checkable receipt.
◇ Holographic Estate — the showcase · 🛡️ a11oy · 🧬 IMMUNE · 🦅 killinchu · 🫀 anatomy · 🌌 cosmos · 🛰️ SDA · 🌊 yarqa · 🤗 all Spaces
Doctrine v11 · Λ = Conjecture 1, never green · honest by design · public data only.