Machine Passport
A cryptographic identity record for each machine — covering its mission, operator, operating boundary, and permitted actions.
Platform
The Celestial State platform governs machine actions end to end: every high-stakes decision is authorized, signed, and preserved as a replayable record. Deploy as a software integration today, then add hardware-rooted enforcement as your pilot matures.
Core Loop
A cryptographic identity record for each machine — covering its mission, operator, operating boundary, and permitted actions.
A policy-based decision issued before any high-stakes motion or state change: allow, deny, or send to a human.
Immutable records that capture identity, policy, context, verdict, and timestamp in a single exportable file.
Signing keys and attestation live in dedicated secure hardware — outside the machine's own software stack.
System Model
The control plane decides, the enforcement layer acts on that decision at the machine boundary, and the proof plane keeps a signed record that exists outside the machine runtime.
Decide
The decision kernel evaluates the machine, mission, action, policy, and live context.
Apply
Adapters apply the verdict where the action crosses into motion or production state.
Prove
Every governed action is signed and preserved as a replayable chain of custody.
Action Planes
Move, stop, lift, turn, accelerate, cross boundary
controller / PLC
Route, assign mission, hand off payload, change zone
fleet manager
Load model, switch policy, update autonomy mode
edge node / TEE
Store receipt, checkpoint ledger, export audit package
TPM / HSM
Spawn task, hand off mission, request human override
control plane
ROS2, OPC UA, PLC, sidecar, SDK, webhook
adapter layer
CAGP
CAGP is the protocol that defines how the machine runtime talks to the trust anchor. Every verdict it returns includes the machine's identity, the policy that applied, a context snapshot, a timestamp, and a proof reference.
01
Machine requests action
A robot, vehicle, cobot, or controller attempts a high-consequence motion or state change.
02
Adapter extracts context
Machine passport, mission, action, zone, payload, operator, environment, and policy class.
03
Trust anchor authorizes
CAGP returns an allow, deny, log, challenge, suspend, escalate, or review verdict.
04
Verdict is signed
The decision includes reason code, TTL, obligations, and receipt reference.
05
Boundary applies verdict
Authorized actions continue; blocked or escalated actions follow the configured safety path.
06
Receipt is preserved
The proof trail can be replayed for operators, insurers, auditors, and regulators.
Technical validation
We will map which actions need governing, what policy applies, and how signed receipts would fit your workflow.