docs.vantio.ai / operations-manual
Dashboard oracle.vantio.ai Enterprise
Ring-0 eBPF · RISC Zero zkVM · GCP Spanner WORM

The Vantio
Sovereign Protocol

Every AI safety system from OpenAI, Anthropic, and their derivatives is a Ring-3 text filter — a post-hoc shim on application-layer output. Vantio intercepts the syscall at Ring-0, before the host CPU completes a single clock cycle, and produces a zk-SNARK proof you can hand to a regulator.

1.4M+
Anomaly Records Sealed
<2ms
Oracle Decision Latency
100%
Cryptographically Proven
7yr
WORM Retention
Physics over Linguistics. No amount of prompt engineering bypasses a kernel hook. The Phantom Engine operates at __x64_sys_execve, __x64_sys_openat, __x64_sys_write, and the full destructive syscall surface — before the host kernel processes the operation.
01
The Phantom Engine
Aya eBPF hypervisor attached at the Linux LSM hook. Intercepts AI agent syscalls at Ring-0 and shunts execution into a Copy-on-Write Phantom Dimension.
02
The Oracle
RISC Zero zkVM loaded with your compiled governance policy. Evaluates agent intent in <2ms and generates a Groth16 zk-SNARK proof of its decision.
03
The Anomaly Record
WORM-sealed cryptographic receipt containing the zk-SNARK proof, agent SVID, raw syscall arguments, and a TrueTime-committed Spanner timestamp.

Quickstart

Install the SDK, set your key, and every AI agent call in your stack is governed by the Phantom Engine in under five minutes.

TypeScript / Node.js

npm install @vantio/sdk
export VANTIO_API_KEY=vsk_dev_xxxx
// Before — unshielded
const output = await agent.run(prompt);

// After — 2-line change
import { shield } from '@vantio/sdk';
const output = await shield(() => agent.run(prompt));

Python

pip install vantio-sdk
export VANTIO_API_KEY=vsk_dev_xxxx
from vantio import shield

@shield
async def run_agent(prompt: str) -> str:
    return await my_autogen_agent.run(prompt)

The Oracle UI at oracle.vantio.ai/dashboard shows your real-time Anomaly Record stream the moment the SDK is instrumented.

Part I — Core Physics

1.1 The Phantom Engine

The Phantom Engine is an Aya eBPF program compiled in no_std Rust and attached via bpf_prog_load to the Linux LSM and tracepoint/syscalls hooks. When an autonomous AI agent invokes a potentially destructive syscall, the engine performs the following atomically:

  1. Intercept — Raw syscall arguments are captured in the BPF RingBuf before kernel processing.
  2. CoW Fork — The process's memory mappings are shadowed using Copy-on-Write semantics. The agent continues executing inside the Phantom Dimension with zero perceived latency.
  3. Oracle Evaluation — The zkVM receives a serialized representation of the intent graph (syscall + arguments + execution context + agent SVID).
  4. Collapse or Permit — Either the phantom execution is terminated (host filesystem remains pristine) or the shadow is discarded and the real syscall proceeds.
AI Agent (LangChain / AutoGen / CrewAI / Bedrock) │ syscall issued ▼ ┌─────────────────────────────────────────────────┐ │ VANTIO eBPF HYPERVISOR [ Ring-0 ] │ │ • LSM hook intercept (execve / openat / write) │ │ • Copy-on-Write Phantom Dimension activated │ │ • RISC Zero zkVM Oracle evaluation < 2ms │ │ • Wave Function Collapse ──or── Permit │ │ • Anomaly Record → GCP Spanner TrueTime WORM │ └─────────────────────────────────────────────────┘ │ host kernel only sees permitted syscalls ▼ Production Reality — pristine.

1.2 The Oracle (RISC Zero zkVM)

The Oracle is the mathematical arbiter of agent intent. It runs a RISC Zero zero-knowledge virtual machine loaded with the enterprise's compiled Governance Policy Program — a deterministic Rust binary encoding allowed filesystem paths, network egress whitelists, destructive operation thresholds, and kill-switch state.

The zkVM produces a zk-SNARK proof of its decision. This proof is mathematically impossible to fabricate — breaking it requires breaking the underlying arithmetic circuit.

// vantio-oracle/src/main.rs (zkVM guest, no_std)
#![no_std]
#![no_main]

use risc0_zkvm::guest::env;
use vantio_hypervisor_common::{OracleInput, OracleDecision};

risc0_zkvm::guest::entry!(main);

fn main() {
    let input: OracleInput = env::read();
    let decision = evaluate_governance_policy(&input);
    env::commit(&decision);
}

fn evaluate_governance_policy(input: &OracleInput) -> OracleDecision {
    if input.is_destructive_syscall() && !input.agent_is_authorized() {
        OracleDecision::Collapse
    } else if input.kill_switch_active() {
        OracleDecision::KillSwitch
    } else {
        OracleDecision::Permit
    }
}

1.3 The Anomaly Record

Every Collapse event produces a WORM-sealed Anomaly Record:

FieldTypeDescription
record_idUUID v7Monotonic, time-ordered identifier
agent_svidSPIFFE X.509Cryptographic agent identity (SPIFFE/SPIRE)
syscall_nru32Raw Linux syscall number
syscall_args[u64; 6]Captured arguments (pre-execution)
oracle_decisionenumCollapse | Permit | KillSwitch
zk_proofbytesRISC Zero Groth16 proof blob
truetime_commitTrueTimeGCP Spanner TrueTime external consistency timestamp
entropy_nonce[u8; 32]CSRNG nonce sealing the record against replay

Records are written to GCP Spanner with InsertOrIgnore semantics. No UPDATE or DELETE IAM permissions exist on the anomaly_records table — immutability is enforced at the IAM layer, not the application layer.

Part II — Infrastructure

2.1 GCP Spanner — TrueTime WORM Ledger

Planetary-scale, externally consistent WORM storage for Anomaly Records. TrueTime provides bounded clock uncertainty; all timestamps are committed at PENDING_COMMIT_TIMESTAMP, guaranteeing total ordering across all global nodes without client-side clock skew.

# terraform/spanner.tf
resource "google_spanner_instance" "vantio_ledger" {
  name             = "vantio-ledger"
  config           = "regional-us-central1"
  display_name     = "Vantio TrueTime Ledger"
  processing_units = 1000  # 1 node baseline; autoscale to 10x under burst
}

resource "google_spanner_database" "anomaly_vault" {
  instance            = google_spanner_instance.vantio_ledger.name
  name                = "anomaly-vault"
  deletion_protection = true

  ddl = [<<-DDL
    CREATE TABLE anomaly_records (
      record_id       STRING(36)  NOT NULL,
      agent_svid      STRING(512) NOT NULL,
      syscall_nr      INT64       NOT NULL,
      oracle_decision STRING(32)  NOT NULL,
      zk_proof        BYTES(MAX)  NOT NULL,
      truetime_commit TIMESTAMP   NOT NULL
        OPTIONS (allow_commit_timestamp=true),
      entropy_nonce   BYTES(32)   NOT NULL,
    ) PRIMARY KEY (record_id),
    TTL INTERVAL '7 years' ON truetime_commit
  DDL]
}

# IAM: edge nodes are write-only — no DELETE/UPDATE granted anywhere
resource "google_spanner_database_iam_member" "edge_write_only" {
  instance = google_spanner_instance.vantio_ledger.name
  database = google_spanner_database.anomaly_vault.name
  role     = "roles/spanner.databaseUser"
  member   = "serviceAccount:${var.edge_node_sa}"
}

2.2 RISC Zero zkVM Proof Architecture

The Oracle binary is compiled to RISC-V ELF and loaded into the RISC Zero zkVM guest. The host (Vantio control plane) submits inputs via the guest's stdin journal and receives the Groth16 proof and receipt via the host journal.

The control plane verifies the Groth16 proof against the known image ID (a hash of the compiled Oracle binary). An Anomaly Record with an invalid proof is rejected by the Spanner write path — enforced by a Cloud Spanner commit interceptor running as a Cloud Function.

2.3 GKE Autopilot — Control Plane

The Vantio control plane (Rust/Axum monolith + Oracle UI) runs on GKE Autopilot for zero-ops node management. All containers use gcr.io/distroless/cc-debian12 — no shell, no package manager.

CI/CD Pipeline (Cloud Build on every merge to main):

  1. cargo build --release --target x86_64-unknown-linux-musl
  2. docker buildx build --platform linux/amd64 (distroless image)
  3. docker push gcr.io/vantio-prod/hypervisor:$SHORT_SHA
  4. terraform apply -auto-approve (infra drift correction)
  5. kubectl rollout restart deployment/vantio-apex (zero-downtime rolling deploy)

Part III — SDK Reference

TypeScript / Node.js — @vantio/sdk

npm install @vantio/sdk
import { VantioClient } from '@vantio/sdk';

const vantio = new VantioClient({
  apiKey:   process.env.VANTIO_API_KEY,
  endpoint: 'https://api.vantio.ai',
});

// Wrap any AI agent execution:
const result = await vantio.shield(async () => {
  return await myLangChainAgent.run(prompt);
});

// result.permitted  → boolean
// result.record_id  → string (Anomaly Record UUID if collapsed)
// result.proof      → string (zk-SNARK hex if collapsed)

Python — vantio-sdk

pip install vantio-sdk
from vantio import shield, VantioClient

client = VantioClient(api_key=os.environ["VANTIO_API_KEY"])

# Decorator pattern:
@shield(client=client)
async def run_agent(prompt: str) -> str:
    return await my_autogen_agent.run(prompt)

# Context manager pattern:
async with client.phantom_scope() as scope:
    result = await agent.run(prompt)
    # scope.record → AnomalyRecord | None

SDK Versioning Policy

Channelnpm tagPyPI classifierStability
StablelatestProduction/StableGA — backward-compatible
BetabetaBetaBreaking changes possible
DevdevDevelopment Status :: 2Internal use only

Part IV — Access & Authentication

Access Matrix

Vantio operates two fundamentally distinct access planes with no architectural overlap:

DimensionGrassroots DeveloperF500 Enterprise
Identity ProviderClerk / Auth0 OAuth 2.0SAML 2.0 / Okta / Entra ID
API Key Typevsk_dev_ (multi-tenant)vsk_ent_ (HSM-backed)
Deployment ModelVantio CloudIsolated VPC Monolith
Installationnpm install @vantio/sdkKubernetes Helm Chart
Kill-Switch AccessNoneCISO + secondary approver
SLABest-effort99.99% contractual
BillingFree tier (10K events/mo)Annual ARR license

Grassroots Developer Flow

  1. Registration — Visit oracle.vantio.ai/dashboard and sign in via GitHub, Google, or email. Clerk issues a JWT; the Axum backend provisions a developer-role account with a free-tier vsk_dev_ API key.
  2. API Key Issuance — Keys are generated as vsk_dev_<32-char-base58>. Stored in Spanner as HMAC-SHA256(key, server_secret). Plaintext shown once at creation. Rate-limited to 10,000 Anomaly Records/month.
  3. SDK Integration — Install the SDK, set VANTIO_API_KEY, and wrap agent calls with shield(). The dashboard at oracle.vantio.ai/dashboard shows your Anomaly Record stream in real-time.
  4. Semantic Failure Contribution — Free-tier usage feeds anonymized Semantic AI Failure Vectors into the Oracle training pipeline. No PII transmitted; syscall arguments are normalized to structural fingerprints before leaving the edge node.

Enterprise F500 Flow

SAML 2.0 / Okta Federation

Configure Vantio as a SAML 2.0 Service Provider in your Okta or Entra ID tenant. Vantio provides https://api.vantio.ai/saml/metadata as the SP metadata URL. Attribute mapping: email, groups (maps to Vantio RBAC roles), department.

Kubernetes Helm Deployment

helm repo add vantio https://charts.vantio.ai
helm repo update

helm install vantio-enterprise vantio/vantio-hypervisor \
  --namespace vantio-system \
  --create-namespace \
  --set global.apiKey=$VANTIO_ENT_KEY \
  --set global.tenantId=$TENANT_UUID \
  --set spanner.projectId=$GCP_PROJECT \
  --set spanner.instanceId=vantio-ledger \
  --set saml.idpMetadataUrl=https://your-okta.com/app/vantio/sso/saml/metadata \
  --set killSwitch.requireDualAuth=true \
  --set killSwitch.approvers[0].email=ciso@corp.com \
  --set killSwitch.approvers[1].email=vp-engineering@corp.com \
  -f values-enterprise.yaml

CISO RBAC Model

RolePermissions
cisoFull read/write; kill-switch (primary approver); RBAC management; compliance export
security-engineerFull read; kill-switch (secondary approver); no RBAC management
developerRead own agent's Anomaly Records only; no kill-switch; no compliance export
auditorRead-only all records; compliance export; no operational controls
agent-identityWrite-only (Anomaly Record ingest); no read; no UI access

Kill-Switch Protocol

The kill-switch is a hardware-enforced global halt on all AI agent executions:

  • Soft Kill — Sets kill_switch_active = true in the BPF map. The eBPF program returns OracleDecision::KillSwitch for every subsequent syscall. Agents are paused, not terminated.
  • Hard Kill — Sends SIGKILL to all processes tagged with the vantio_agent cgroup. Immediate termination. Anomaly Records are written for all in-flight executions.
Authorization required. Kill-switch activation requires cryptographic approval from two ciso/security-engineer role holders within a 5-minute window, implemented as a threshold signature (2-of-N) over the kill-switch command payload.

Appendix A — Security Posture Checklist

  • All secrets in GCP Secret Manager — never in environment variables or K8s Secrets plaintext
  • Workload Identity Federation — no long-lived service account keys
  • BPF programs signed with bpftool sign and verified against a pinned public key on load
  • All container images pass Sigstore/Cosign signature verification in the K8s admission webhook
  • Spanner IAM: no DELETE/UPDATE roles granted to any service account
  • Oracle UI CSP headers block all inline scripts and third-party origins
  • Kill-switch dual-auth window: 5 minutes. Expired approvals require re-authorization
  • Anomaly Records are append-only and replicated across 3 GCP regions minimum

Appendix B — Local Development

# Clone and build:
git clone https://github.com/vantio-ai/vantio-hypervisor
cd vantio-hypervisor
cargo build --workspace

# Run control plane locally:
VANTIO_ENV=dev cargo run -p vantio-hypervisor

# eBPF (requires root + kernel headers):
sudo cargo xtask run --release

# Oracle UI:
cd oracle-ui && npm install && npm run dev
# → http://localhost:5173

# Start the mock telemetry server (Phantom Uplink):
node phantom_uplink.cjs
# → SSE stream on http://localhost:3000/api/telemetry/stream
Mock telemetry: phantom_uplink.cjs streams mock Ring-0 intercept events via Server-Sent Events, enabling the Oracle UI dashboard to function without a live eBPF kernel connection during development.
VANTIO OPERATIONS MANUAL — V1.0 | Compiled: 2026-04-10 | [ ∅ VANTIO ] Apex Singularity Classification: Engineering Distribution