The first AI agent you can hand a real wallet to.
Custodian is the trust layer underneath: kernel-enforced authority, not a promise in a prompt. The agent itself cannot exceed its limit or approve its own escalation — even if it tries. Below: a real agent — protecting ArgoBox, a real production homelab — proving it, live.
AUTHORITY —
·
PER-ACTION —
·
SESSION —
·
ENFORCED AT KERNEL LEVEL
How the kernel actually stops the AI: Nemotron Super 120B has no direct access to Stripe or any payment API. The only way money moves is through
spend.py — a script the kernel controls. Before touching Stripe, spend.py checks: Is the amount within the band? Is the kill switch off? Is the session cap intact? If any check fails, it returns DENIED and exits. The AI can think about spending $10,000 all it wants — without passing those checks, nothing happens. The door is the only path, and the door checks the rules before opening.
AGENT (Nemotron)
Decides to act. Calls spend.py — the only door to real Stripe. Cannot call Stripe directly.
→
KERNEL (spend.py)
Checks band, cap, kill switch. If any fails → DENIED, no exceptions. No prompt or plea changes this.
→
HUMAN (SMS code)
Over-budget requests need a real one-time code from a separate device. The kernel cannot generate or intercept it.
Why this exists
Agents that get broad real access are unreliable today — not malicious, just unreliable.
That's not a guess; it's what operators already running agents against real systems report
firsthand. The question that actually matters isn't "will it make a mistake," it's
"can a mistake cost real money." Custodian is the answer to that second
question: a kernel-enforced ceiling an agent cannot talk its way past, with a real human
out-of-band the only path beyond it. It's infrastructure for any team — an MSP, a fintech,
anyone giving an agent real account access — that needs that guarantee before they'll let
an agent near a real account at all.
The same decision, seen from three angles
OPS / INFRA — would this break something?
—
signal:—
source:live infrastructure API
—
FINANCE — is it worth the cost?
—
amount:—
artifact:—
—
SECURITY — does kernel policy allow it?
—
enforcement:kernel (Landlock + OPA)
artifact:—
—
Authority right now
Authority Band
—
Per-Action Cap
—
Autonomous Spend
—
Sandbox
checking…
Net (Real Revenue − Spend)
—
Live Audit Feed — Every spend, earn, refund, and kill-switch the AI agent triggers
What fills this feed: Every time the AI agent earns revenue, requests a spend, gets escalated for human approval, or hits the kill switch — each event lands here with a timestamp and the kernel's verdict. It's an append-only record; nothing can be edited or deleted after the fact.
To see it live: Open the Operator Panel and run through the steps — earn, spend, escalate, kill-switch, refund. Each action writes a real entry here within seconds.
⚡ Open Operator Panel →
To see it live: Open the Operator Panel and run through the steps — earn, spend, escalate, kill-switch, refund. Each action writes a real entry here within seconds.
⚡ Open Operator Panel →
No events yet — run the operator demo to populate this feed.
Kernel-Level Policy Log — What the enforcement layer actually decided (zero AI in this path)
What this is: Raw output from the deterministic enforcement kernel (NemoClaw / OpenShell). Every spend request goes through this layer before money moves — no AI involved. The kernel checks the amount against the agent's authority band, the session cap, and the kill-switch state, then logs ALLOW or DENY with a reason. The AI can't see this log, can't override it, and can't rewrite it.
Why it matters: This is proof that the guardrail is deterministic. Same request, same band, same answer — every time. An AI that lies about its intentions still gets the right verdict here.
Why it matters: This is proof that the guardrail is deterministic. Same request, same band, same answer — every time. An AI that lies about its intentions still gets the right verdict here.
No kernel activity yet — run a spend or kill-switch from the Operator Panel to see enforcement decisions logged here.
Try It Yourself — Live Decision Engine
Stripe — Live Account TEST MODE
Fetching live Stripe data…