Alpha Guide
You are looking at the closed-alpha cut of LYDOS — the same build that runs the production systems behind lydos.ailydian.com. This page is the operator-grade map of what is shipped, what is alpha, and how to drive the new control surfaces. Public marketing pages stay conservative; this guide reflects the current backend.
Four pillars of this build
Sovereign Stack
13 engines (DPI, LocalSec, DPI-H, CC, FIN, LSSA, KSL, TUP, GCE, ASR, DSL, LSIA, GCI). 174/174 tests green at the 2026-04-17 ship.
Multi-Region Routing Logic (Q229)
Q229 routing + region heartbeat + GCE consistency + LSIA immunity. Failover chain ranks regions by live p95 + error rate. Deployment topology: single-region today (Helsinki), multi-region planned Q4 2026.
IPO Governance
Approval workflow (4 risk tiers, role-diverse quorum, KSL gate, LSIA veto). Hash-chained audit on insert events. Tampering surfaces in /audit/verify.
Reality Stress
30-min × 30-user keep-alive sustained-load harness (scripts/reality_stress.py). Last verdict: STABLE — 296,903 reqs, p95 10ms, errors 0.02%.
Capability matrix
Every surface below is implemented in this build. GAmeans production-ready; ALPHA means the contract is real but may sharpen before the next minor release.
| Capability | Surface | Status | Notes |
|---|---|---|---|
| DPI quorum decisions | /api/dpi/* | GA | 2/3 multi-node consensus, hash-chained audit |
| On-device security | /api/local-security/* | GA | Device-bound JWT, signed artifacts |
| DPI key hierarchy | /api/dpi/hardening/* | GA | Root → intermediate → node keys |
| Confidential compute | /api/cc/* | GA | Secrets sealed to enclave measurements |
| Double-entry ledger | /api/{ledger,finance}/* | GA | Per-transaction proof, immutable journal |
| 10-layer sovereign (LSSA) | /api/lssa/* | GA | Hardware root → trust graph |
| Key Sovereignty (KSL) | /api/ksl/* | GA | Private keys never leave device |
| Trusted updates (TUP) | /api/tup/* | GA | Signature + hash + role-diverse quorum |
| Cross-node consistency | /api/gce/* | GA | Drift detect → degraded mode |
| Autonomous defense (ASR) | /api/asr/* | GA | Hash-chained decisions, isolation, no counter-attack |
| Default Settlement | /api/settlement/* | GA | signed + approved + proven = settled |
| Immunity (LSIA) | /api/immunity/* | GA | Quarantine, veto, sacrifice — overrides all |
| Global Brain (GCI) | /api/gci/* | GA | Privacy-preserving pattern consensus |
| /control/infra panel | /control/infra/* | ALPHA | Q229 + heartbeat + LSIA mode + traffic |
| /control/governance panel | /control/governance/* | ALPHA | ASR + FIN + Q186 ADR + Q226 SOC2 + Q202 + TUP |
| Approval workflow | /control/governance/approvals/* | ALPHA | 4 risk tiers, role-diverse quorum, KSL gate |
| Region heartbeat | (middleware + 15s writer) | ALPHA | Rolling p95/error window, drives failover |
| Public health probes | /control/{infra,governance}/health | STABLE | No-auth, feeds external load balancers |
| Q229 multi-region routing logic (deployment topology pending Q4 2026) | /api/q229/regions/* | GA | 5 routing strategies, Haversine geo — single-region today (logic only) |
| Q226 SOC 2 readiness | /api/q226/soc2/* | GA | 25 TSC controls, evidence collection |
| Q186 AI decision records | /api/q186/adr/* | GA | EU AI Act compliance, immutable audit |
| Q202 EU AI Act compliance | /api/q202/eu-ai-act/* | GA | Risk classification, sector profiles |
| Q158 autonomous engineering | (systemd --user) | GA | 47 engineers, 24/7 surgical fixes |
Five-minute smoke walkthrough
Authenticate as a super-admin or auditor, then run these calls against the production VPS. Health probes work with no token — feed them straight into your external load balancer.
1 · Public liveness (no auth)
curl -s https://lydos.ailydian.com/control/infra/health | python3 -m json.tool
# {"status":"healthy","region":"...","node":"...","self":{"available":true,"p95_ms":...,"error_rate_pct":...}}
curl -s https://lydos.ailydian.com/control/governance/health | python3 -m json.tool
# {"status":"healthy","approval_chain":true,"asr_chain":true}2 · Unified multi-region routing-logic panel (single-region today, deployment Q4 2026 planned)
TOKEN="..." # super_admin JWT
curl -s -H "Authorization: Bearer $TOKEN" \
https://lydos.ailydian.com/control/infra | python3 -m json.tool
# self heartbeat • fleet rollup • failover_chain • registry •
# routing_strategies • immunity_mode • system_risk • asr_posture
curl -s -H "Authorization: Bearer $TOKEN" \
https://lydos.ailydian.com/control/infra/failover | python3 -m json.tool
# Available regions ranked by live p95; unavailable appended (non-routable)3 · Open and complete an approval
# Open (auto-classifies risk; LSIA veto runs at request time)
curl -s -X POST https://lydos.ailydian.com/control/governance/approvals \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"action_type": "deploy_production",
"action_payload": {"version":"v12.3.0","manifest_hash":"…"},
"requester_id": "ops-1"
}' | python3 -m json.tool
# → {"approval_id":"appr_…","status":"pending","risk_level":"high",
# "quorum_required":3,"roles_required":["security","ops","finance"],
# "ksl_required":true,"audit_seq":N,"audit_hash":"…"}
# Vote (high-risk requires KSL signature)
curl -s -X POST https://lydos.ailydian.com/control/governance/approvals/$ID/vote \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"voter_id":"sec-lead",
"voter_role":"security",
"vote":"approve",
"rationale":"Manifest signed, binary hash matches",
"signature":"<KSL device signature>"
}' | python3 -m json.tool
# Mark executed once production state has actually changed
curl -s -X POST https://lydos.ailydian.com/control/governance/approvals/$ID/execute \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"executor_id":"deploy-bot","outcome":"success"}'4 · Verify the audit chain
curl -s -H "Authorization: Bearer $TOKEN" \
https://lydos.ailydian.com/control/governance/audit/verify | python3 -m json.tool
# {"approval_chain":{"ok":true,"rows":N,"broken":[],"head_hash":"…"},
# "asr_chain": {"ok":true,...}}status, decision_reason, and decided_at on the same row but never rewrite audit_seq. Any tampering surfaces here.What happens when things go wrong
LSIA in CRITICAL_LOCKDOWN
should_veto() overrides every layer (KURAL 22). Approval requests opened during lockdown are persisted with status vetoed and decision_reason="lsia_veto:<reason>". The chain still records the attempt — it does not pretend the request never arrived.
A region drops below the health threshold
A region is unavailable when its rolling 60-second p95 ≥ 1000 ms or its error_rate ≥ 5%. The failover chain re-ranks on every read; routable regions are emitted first, sorted by p95 ascending. Q229's geo-proximity, latency, weighted-round-robin, sticky, and least-load strategies all see the same live availability bit, so a degraded region exits rotation immediately.
An approval expires
TTL defaults: low 4 h · medium 24 h · high 24 h · critical 6 h. Casting a vote against an expired approval finalises the row to status expired with reason ttl_expired. Workers calling check_approved_or_raise() get a PermissionError.
Known alpha limits
- Region heartbeat is per-process. Behind a multi-process gunicorn deployment each worker emits its own beacon; the rollup is correct but sample counts split across rows. Aggregate at the panel layer.
- KSL signature verification on approval votes is currently opt-in (signature presence is required for high/critical risk; cryptographic verification ships next).
- Multi-region writes still go to a single primary — the stack is read-replica-ready, but cross-region write quorum is GA on the roadmap, not in this cut.