CUSTODIAN
Autonomous Spend Authority
Built with NVIDIA Nemotron Nous Research · Hermes stripe
NemoClaw kernel sandbox
Nous Hermes Agent
Stripe real PaymentIntents

The first AI agent you can hand a real wallet to.

Custodian is the trust layer underneath: kernel-enforced authority, not a promise in a prompt. The agent itself cannot exceed its limit or approve its own escalation — even if it tries. Below: a real agent — protecting ArgoBox, a real production homelab — proving it, live.
AUTHORITY · PER-ACTION · SESSION · ENFORCED AT KERNEL LEVEL
▶ Watch the agent get lied to — and caught
Interactive 60-second walkthrough. A real refund-fraud case: a customer invents a story to get money back, the AI agent recommends approve — and the kernel overrides it anyway. It runs the live decision engine (flip on real Nemotron in the page if you want to watch the model reason in real time). Opens in a new tab.
AGENT
Requests money movement. Can never approve its own escalation.
KERNEL
Deterministic policy decides. No prompt, no plea, ever changes the verdict.
HUMAN
Real out-of-band code, on a separate device, is the only way past the agent's limit.
Why this exists
Agents that get broad real access are unreliable today — not malicious, just unreliable. That's not a guess; it's what operators already running agents against real systems report firsthand. The question that actually matters isn't "will it make a mistake," it's "can a mistake cost real money." Custodian is the answer to that second question: a kernel-enforced ceiling an agent cannot talk its way past, with a real human out-of-band the only path beyond it. It's infrastructure for any team — an MSP, a fintech, anyone giving an agent real account access — that needs that guarantee before they'll let an agent near a real account at all.
The same decision, seen from three angles
OPS / INFRA — would this break something?
signal:
source:10.0.0.199:8093 (real infra API)
FINANCE — is it worth the cost?
amount:
artifact:
SECURITY — does kernel policy allow it?
enforcement:kernel (Landlock + OPA)
artifact:
Authority right now
Authority Band
Per-Action Cap
Autonomous Spend
Sandbox
checking…
Net (Real Revenue − Spend)
Explore it live
Four live views of the same system — the real audit feed, the raw kernel policy log, a sandbox you can drive yourself, and the real Stripe account the agent pays into. Click a tab:
Live Audit Feed — Ops Decisions & Spend
Waiting for events…
Kernel-Level Policy Enforcement — Raw OCSF Log (NemoClaw / OpenShell)
Waiting for sandbox activity…
Try It Yourself — Live Decision Engine
This calls the real decide() function from custodian/policy/evaluator.py, live, against an isolated sandbox state. Nothing here ever touches real money, sends a real SMS, or affects the live data shown above.
These mirror the exact scenarios in the real live demo arc -- same real decide() engine, simulated state.
The real kill switch is an operator-only control (custodian kill / custodian resume via CLI) — not a public button on real production state, the same way a real company wouldn't expose a "disable our safety system" button to random visitors. Check the box above to see the exact same override logic run safely against the isolated demo state instead.
Reading real-time state from the NemoClaw sandbox · refreshes every 3s
Stripe — Live Account TEST MODE
Every spend on this page is a real Stripe PaymentIntent created against Stripe's actual API — same API, same objects, same dashboard a production integration uses. Test mode means no real funds settle; everything else is real. Click any payment ID to open the exact object on Stripe's own dashboard and verify it yourself.
Total processed
Payments succeeded
Largest single payment
Account
Balance — available
Balance — pending
Recent PaymentIntents
Loading real Stripe data…
Powered by Stripe · Open the full account on Stripe ↗
⚠ ESCALATION — HUMAN APPROVAL REQUIRED
This exceeds the agent's autonomous authority band.
A one-time approval code has been dispatched to the human operator.
STEP 1/6
Nemotron 3 Super — live