CUSTODIAN
Autonomous Spend Authority
NemoClaw kernel sandbox
Nous Hermes Agent
Stripe real PaymentIntents

The first AI agent you can hand a real wallet to.

Custodian is the trust layer underneath: kernel-enforced authority, not a promise in a prompt. The agent itself cannot exceed its limit or approve its own escalation β€” even if it tries. Below: a real agent β€” protecting ArgoBox, a real production homelab β€” proving it, live.
AUTHORITY β€” Β· PER-ACTION β€” Β· SESSION β€” Β· ENFORCED AT KERNEL LEVEL
How the kernel actually stops the AI: Nemotron 3 Super has no direct access to Stripe or any payment API. The only way money moves is through spend.py β€” a script the kernel controls. Before touching Stripe, spend.py checks: Is the amount within the band? Is the kill switch off? Is the session cap intact? If any check fails, it returns DENIED and exits. The AI can think about spending $10,000 all it wants β€” without passing those checks, nothing happens. The door is the only path, and the door checks the rules before opening.
AGENT (Nemotron)
Decides to act. Calls spend.py β€” the only door to real money. Cannot call Stripe directly.
β†’
KERNEL (spend.py)
Checks band, cap, kill switch. If any fails β†’ DENIED, no exceptions. No prompt or plea changes this.
β†’
HUMAN (SMS code)
Over-budget requests need a real one-time code from a separate device. The kernel cannot generate or intercept it.
Why this exists
Agents that get broad real access are unreliable today β€” not malicious, just unreliable. That's not a guess; it's what operators already running agents against real systems report firsthand. The question that actually matters isn't "will it make a mistake," it's "can a mistake cost real money." Custodian is the answer to that second question: a kernel-enforced ceiling an agent cannot talk its way past, with a real human out-of-band the only path beyond it. It's infrastructure for any team β€” an MSP, a fintech, anyone giving an agent real account access β€” that needs that guarantee before they'll let an agent near a real account at all.
The same decision, seen from three angles
OPS / INFRA β€” would this break something?
β€”
signal:β€”
source:live infrastructure API
β€”
FINANCE β€” is it worth the cost?
β€”
amount:β€”
artifact:β€”
β€”
SECURITY β€” does kernel policy allow it?
β€”
enforcement:kernel (Landlock + OPA)
artifact:β€”
β€”
Authority right now
Authority Band
β€”
Per-Action Cap
β€”
Autonomous Spend
β€”
Sandbox
checking…
Net (Real Revenue βˆ’ Spend)
β€”
Live Audit Feed β€” Every spend, earn, refund, and kill-switch the AI agent triggers
What fills this feed: Every time the AI agent earns revenue, requests a spend, gets escalated for human approval, or hits the kill switch β€” each event lands here with a timestamp and the kernel's verdict. It's an append-only record; nothing can be edited or deleted after the fact.
To see it live: Open the Operator Panel and run through the steps β€” earn, spend, escalate, kill-switch, refund. Each action writes a real entry here within seconds.
⚑ Open Operator Panel β†’
No events yet β€” run the operator demo to populate this feed.
Kernel-Level Policy Log β€” What the enforcement layer actually decided (zero AI in this path)
What this is: Raw output from the deterministic enforcement kernel (NemoClaw / OpenShell). Every spend request goes through this layer before money moves β€” no AI involved. The kernel checks the amount against the agent's authority band, the session cap, and the kill-switch state, then logs ALLOW or DENY with a reason. The AI can't see this log, can't override it, and can't rewrite it.
Why it matters: This is proof that the guardrail is deterministic. Same request, same band, same answer β€” every time. An AI that lies about its intentions still gets the right verdict here.
No kernel activity yet β€” run a spend or kill-switch from the Operator Panel to see enforcement decisions logged here.
Try It Yourself β€” Live Decision Engine
This calls the real decide() function from custodian/policy/evaluator.py, live, against an isolated sandbox state. Nothing here ever touches real money, sends a real SMS, or affects the live data shown above.
These mirror the exact scenarios in the real live demo arc -- same real decide() engine, simulated state.
The real kill switch is an operator-only control (custodian kill / custodian resume via CLI) β€” not a public button on real production state, the same way a real company wouldn't expose a "disable our safety system" button to random visitors. Check the box above to see the exact same override logic run safely against the isolated demo state instead.
Reading real-time state from the NemoClaw sandbox Β· refreshes every 3s
Stripe β€” Live Account TEST MODE
Real Stripe PaymentIntents β€” every autonomous spend and escalation on this page shows up here. The agent is authorized to create charges up to $100; anything above routes through the approval kernel. Data is fetched live from the Stripe API β€” no mock, no sample data.
Fetching live Stripe data…
Powered by Stripe Β· Open full account on Stripe β†—
⚠ ESCALATION β€” HUMAN APPROVAL REQUIRED
This exceeds the agent's autonomous authority band.
A one-time approval code has been dispatched to the human operator.
STEP 1/6
Nemotron 3 Super β€” live