A deterministic, event-sourced autonomy operations console built for auditability, explainability, and human-governed autonomy.
This system is intentionally designed to meet the expectations of safety-critical, defense-adjacent, and infrastructure environments: replayable state, strict data contracts, explainable trust, and enforced human gates.
- Determinism first – same inputs produce the same outputs, byte-for-byte
- Event sourcing – all state is derived from an ordered event journal
- Explainability over opacity – no black-box scores without decomposition
- Human authority – autonomy is gated, not assumed
- Auditability – every decision, override, and rejection is recorded
This is:
- A replayable autonomy decision engine
- A governance and safety layer for multi-source systems
- An operator-legible trust and correlation fabric
This is not:
- A machine-learning training system
- A real-time control loop
- A UI-only dashboard
All system behavior is derived from:
- Pinned configuration snapshot (hashed)
- Ordered event envelopes
- Operator commands and decisions
A full system state can be rebuilt at any time using:
rebuild_state(events, config)
This enables true replay, forensic analysis, and deterministic validation.
The system separates:
- Event time (source timestamps)
- Logical time (ticks / ordering)
- Wall clock time (display only)
Wall-clock time never influences state.
Replay guarantees:
Given the same inputs and config, the system will reproduce the same outputs exactly.
Trust is computed as a weighted composition of:
- Freshness
- Schema validity
- Dropout reliability
- Drift detection
- Operator manual penalties
Each trust update includes:
- Component breakdown
- Delta from prior state
- Blame attribution (why trust changed)
This turns trust from a number into a diagnosable signal.
All events are wrapped in a versioned envelope:
EventEnvelope {
source_id
event_ts
ingest_tick
schema_version
payload
}
Validation outcomes:
- Accepted – safe for autonomy
- Quarantined – unsafe for autonomy, preserved for analysis
- Rejected – malformed or unusable
Schema drift and validation failures are explicitly audited.
Correlation is computed using:
- Per-source watermarks
- Rolling lag estimation
- Time-aligned windows (not raw ticks)
This allows the system to tolerate:
- Jitter
- Late arrival
- Out-of-order events
And still reason correctly about cross-source behavior.
Human decisions are not advisory — they are state-enforcing.
Policies can require:
- Operator approval below integrity thresholds
- Mandatory decisions for specific action classes
- Degraded autonomy under high operator load
Manual mode changes allowed state transitions, not just labels.
Every run produces a replay capsule containing:
- Config snapshot + hash
- Full event journal
- Decisions and overrides
This capsule can be shared, replayed, and independently verified.
The system is designed to support:
- Determinism property tests
- Score boundedness checks
- Monotonicity guarantees
- Governance invariants (no action without insight, no escalation without gate)
A system without tests is a demo. This is built to be inspected.
pip install streamlit plotly numpy pandas pydantic
streamlit run app.pyIf pydantic is unavailable, the app runs in degraded validation mode with explicit warnings.
This project is intended as:
- A reference autonomy governance layer
- A portfolio artifact demonstrating safety-grade thinking
- A foundation for infra, robotics, or defense-adjacent systems
It is deliberately conservative by design.
Autonomy without governance is just automation.
This system treats human authority as a first-class control surface, not an afterthought.
MIT (or replace with your preferred license)