The first AI agent you can hand a real wallet to.
Custodian is the trust layer underneath: kernel-enforced authority, not a promise in a prompt. The agent itself cannot exceed its limit or approve its own escalation — even if it tries. Below: a real agent — protecting ArgoBox, a real production homelab — proving it, live.
AUTHORITY —
·
PER-ACTION —
·
SESSION —
·
ENFORCED AT KERNEL LEVEL
Why this exists
Agents that get broad real access are unreliable today — not malicious, just unreliable.
That's not a guess; it's what operators already running agents against real systems report
firsthand. The question that actually matters isn't "will it make a mistake," it's
"can a mistake cost real money." Custodian is the answer to that second
question: a kernel-enforced ceiling an agent cannot talk its way past, with a real human
out-of-band the only path beyond it. It's infrastructure for any team — an MSP, a fintech,
anyone giving an agent real account access — that needs that guarantee before they'll let
an agent near a real account at all.
The same decision, seen from three angles
OPS / INFRA — would this break something?
—
signal:—
source:10.0.0.199:8093 (real infra API)
—
FINANCE — is it worth the cost?
—
amount:—
artifact:—
—
SECURITY — does kernel policy allow it?
—
enforcement:kernel (Landlock + OPA)
artifact:—
—
Authority right now
Authority Band
—
Per-Action Cap
—
Autonomous Spend
—
Sandbox
checking…
Live Audit Feed — Ops Decisions & Spend
Waiting for events…
Kernel-Level Policy Enforcement — Raw OCSF Log (NemoClaw / OpenShell)
Waiting for sandbox activity…
Try It Yourself — Live Decision Engine