Earned $0.00
·
Spent $0.00
·
Net $0.00
·
Margin

The first AI agent you can hand a real wallet to.

Custodian is the trust layer underneath: kernel-enforced authority, not a promise in a prompt. The agent itself cannot exceed its limit or approve its own escalation — even if it tries. Below: a real agent — protecting ArgoBox, a real production homelab — proving it, live.
AUTHORITY · PER-ACTION · SESSION · ENFORCED AT KERNEL LEVEL
How the kernel actually stops the AI: Nemotron Super 120B has no direct access to Stripe or any payment API. The only way money moves is through spend.py — a script the kernel controls. Before touching Stripe, spend.py checks: Is the amount within the band? Is the kill switch off? Is the session cap intact? If any check fails, it returns DENIED and exits. The AI can think about spending $10,000 all it wants — without passing those checks, nothing happens. The door is the only path, and the door checks the rules before opening.
AGENT (Nemotron)
Decides to act. Calls spend.py — the only door to real Stripe. Cannot call Stripe directly.
KERNEL (spend.py)
Checks band, cap, kill switch. If any fails → DENIED, no exceptions. No prompt or plea changes this.
HUMAN (SMS code)
Over-budget requests need a real one-time code from a separate device. The kernel cannot generate or intercept it.
Agents that get broad real access are unreliable today — not malicious, just unreliable. That's not a guess; it's what operators already running agents against real systems report firsthand. The question that actually matters isn't "will it make a mistake," it's "can a mistake cost real money." Custodian is the answer to that second question: a kernel-enforced ceiling an agent cannot talk its way past, with a real human out-of-band the only path beyond it. It's infrastructure for any team — an MSP, a fintech, anyone giving an agent real account access — that needs that guarantee before they'll let an agent near a real account at all.
OPS / INFRA — would this break something?
signal:
source:live infrastructure API
FINANCE — is it worth the cost?
amount:
artifact:
SECURITY — does kernel policy allow it?
enforcement:kernel (Landlock + OPA)
artifact:
Authority Band
Per-Action Cap
Autonomous Spend
Sandbox
checking…
Net (Real Revenue − Spend)
Live Audit Feed — Every spend, earn, refund, and kill-switch the AI agent triggers
What fills this feed: Every time the AI agent earns revenue, requests a spend, gets escalated for human approval, or hits the kill switch — each event lands here with a timestamp and the kernel's verdict. It's an append-only record; nothing can be edited or deleted after the fact.
To see it live: Open the Operator Panel and run through the steps — earn, spend, escalate, kill-switch, refund. Each action writes a real entry here within seconds.
⚡ Open Operator Panel →
No events yet — run the operator demo to populate this feed.
Kernel-Level Policy Log — What the enforcement layer actually decided (zero AI in this path)
What this is: Raw output from the deterministic enforcement kernel (NemoClaw / OpenShell). Every spend request goes through this layer before money moves — no AI involved. The kernel checks the amount against the agent's authority band, the session cap, and the kill-switch state, then logs ALLOW or DENY with a reason. The AI can't see this log, can't override it, and can't rewrite it.
Why it matters: This is proof that the guardrail is deterministic. Same request, same band, same answer — every time. An AI that lies about its intentions still gets the right verdict here.
No kernel activity yet — run a spend or kill-switch from the Operator Panel to see enforcement decisions logged here.
Try It Yourself — Live Decision Engine
Stripe — Live Account TEST MODE
Fetching live Stripe data…
⚠ ESCALATION — HUMAN APPROVAL REQUIRED
This exceeds the agent's autonomous authority band.
A one-time approval code has been dispatched to the human operator.
STEP 1/6
Nemotron Super 120B — live