Decision Infrastructure
for Autonomous AI

1. The Problem

Foundation models produce increasingly capable reasoning, but their integration into autonomous workflows exposes a fundamental tension: capability without governance. An AI agent that can draft a contract, execute a trade, or modify a database brings value proportional to its autonomy — and risk proportional to the absence of controls.

Today, teams address this with ad-hoc solutions: prompt engineering (easily jailbroken), post-hoc logging (damage occurs before review), single-model guardrails (single point of failure), manual approval queues (don't scale), and custom rule engines (brittle, no AI understanding). None provide production-grade, pre-execution governance with cryptographic proof, multi-model consensus, and continuous adversarial testing.

2. Design Principles

Six immutable invariants — the OmegaConstitution — are declared as immutable code-level constants (lib/constitution.ts). A CI unit test asserts all six are present and true, so a deploy cannot silently drop one; runtime conformance is checked separately by an invariant health monitor at /api/proof/health. The production execution gate is on by default:

3. System Architecture

OmegaEngine is organized as a layered defense system where each layer operates independently and any layer can halt execution. The six layers are:

4. Decision Pipeline

Every decision request traverses an ordered pipeline where each stage can independently halt execution:

Input → Edge Validation → Firewall → Safety Check → Heuristic Scoring →
Extended Heuristics → Calibration → Temporal Analysis → Model Routing →
[LLM Inference → Arbitration] → Policy Enforcement → Self-Verification →
Provenance Chain → Audit Persistence → Response

5. Safety System

The first-line safety system is a rules-based, deterministic engine with no external model calls in the hot path. This ensures consistent behavior regardless of LLM availability, single-digit-millisecond latency (~1–2 ms, no network I/O), zero cost per evaluation, and no risk of the safety layer itself being jailbroken — the component that decides ‘is this an attack?’ is not itself a model that can be argued with.

It evaluates input across 22 detection categories (grouped into six families) spanning content safety (self-harm, violence, hate speech), injection attacks (SQL, XSS, command injection, SSRF, path traversal), obfuscation (Base64, ROT13, leetspeak, unicode homoglyphs, zero-width, reversed text), jailbreaks (prompt injection, instruction override, delimiter attacks), multi-language attacks (Chinese, Japanese, Korean, Arabic, Russian, Hindi, and 6 more), and exfiltration (canary tokens, credential harvesting).

Two reliability features matter: word-boundary matching (ASCII terms anchored to boundaries so ‘What is the capital of France?’ no longer trips a command-injection term), and benign-context suppression — when benign confidence ≥ 0.4 and no high-confidence attack signal is present, false-positive tags are suppressed and risk scores are capped, holding the measured benign false-positive rate at 0%.

An optional second tier closes the semantic gap. The deterministic engine catches 81.0% (94/116) of a self-authored 116-attack corpus at 0% false positives (re-measured 2026-06-25; 78.4% as first published); a Tier-2 LLM judge adjudicates only the residual ambiguous cases (roleplay, ‘write a poem that…’, simulation framing), lifting combined recall to 97.4% (113/116) at 0% false positives. The judge is default-off, fail-safe (errors fall back to Tier-1), and asymmetric (it can only upgrade allow→block; a Tier-1 block always stands). Reproduce with npm run dogfood:layered.

6. Multi-Model Arbitration

No single language model should be trusted as the sole authority on a consequential decision. The Arbitration Kernel v5.0 runs decisions through multiple frontier models in parallel, collects structured reasoning, scores for hallucination, applies weighted consensus using domain/cost/performance/ELO trust ratings, detects material disagreements via semantic clustering, cascades on weak consensus with tiebreaker models, and updates trust ratings over time.

7. Risk Scoring Framework

OmegaEngine computes risk from 14 independent factors organized into two tiers (6 + 8 = 14). Tier 1 (Base Heuristics, 6) covers base risk score, reversibility, time pressure, emotional volatility, information completeness, and domain severity. Tier 2 (Extended Dimensions, 8) adds stakeholder impact, cascade risk, regulatory exposure, financial materiality, reputation risk, precedent, uncertainty, and option value.

Each extended dimension contributes a weighted adjustment (−30 to +30) to the base risk score. To avoid tied scores on similar inputs while preserving reproducibility, the dimensions use a deterministic jitter function based on FNV-1a hashing — the same input always produces the same score, but near-identical inputs do not collapse to the same number.

8. Cryptographic Provenance

OmegaEngine produces two distinct kinds of cryptographic evidence, with different trust models. Every decision produces a Merkle-rooted provenance chain that is HMAC-SHA256 signed — a tamper-evident internal audit trail, verifiable by a party holding the signing secret. The component hashes are listed below.

Separately, security attestations and the transparency log are signed with Ed25519 against a published JWKS (/api/jwks). This makes them publicly verifiable: a third party can confirm an attestation's content hash, signature, and Merkle inclusion offline, with no shared secret and no access to our servers — `npx @omegaengine/verify <id>`. Attestations are appended to an RFC 6962-style append-only transparency log that publishes a signed tree head (/api/transparency/sth) and answers inclusion and consistency proofs, so a verifier can prove a result is in the log and that the log was never rewritten.

9. Policy Engine

The policy engine is an enterprise-grade, tenant-aware, plan-aware risk router. It evaluates decisions against a strict hierarchy: adversarial pattern detection (always runs, cannot be disabled) → hard safety blocks (CSAM, extremism, self-harm) → sensitive domain enforcement → sensitive tag enforcement → arbitration-based escalation → role/plan routing → default allow.

The policy version is auto-computed from a SHA-256 hash of the hard block tag list, so when rules change, the version changes automatically and is captured in every subsequent provenance chain. If any exception occurs during evaluation, the system returns REQUIRE_HUMAN_REVIEW — never silently allowing a request that couldn't be properly evaluated. The engine ships 27 industry presets (banking, healthcare, government, legal, education, SaaS, cybersecurity, retail, and more) as tenant-configurable starting points with dual-control enforcement.

10. Adversarial Resilience

The local judgment model implements 13 independent defense layers: obfuscation detection, safety analysis (multi-category heuristic patterns), firewall, multi-language attack detection (12+ languages), attack classification (12+ types), adversarial suffix detection, prompt leakage prevention, context injection detection, homoglyph normalization, semantic similarity detection, canary token detection, payload structure analysis, and multi-signal fusion.

Every decision also includes built-in red-teaming via adversarial self-verification: devil's advocate arguments, domain-specific failure scenarios, blind spot detection (6 categories), 7 cognitive bias checks (confirmation, survivorship, anchoring, availability, sunk cost, recency, optimism), and an adversarial robustness score (0–100).

11. Learning & Calibration

The system supports three-level feedback (GOOD/NEUTRAL/BAD) used for OmegaGrade quality scoring per domain (S/A+/A/B/C/D), scoring weight calibration, RLHF training data export, and topic analytics.

Historical performance of each model is tracked via OmegaIQ scores (0–100) and ELO trust ratings. These feed back into the arbitration kernel's weighting, creating a self-improving model selection system.

The temporal analysis module adds time-awareness: optimal timing windows (ACT_NOW through DELAY_RECOMMENDED), time decay scoring, opportunity cost per day with domain multipliers, decision half-life (24h to 1 year), deadline proximity detection, and seasonal factor awareness (quarters, holidays, budget cycles).

12. Deployment & Operations

All requests pass through a unified edge proxy orchestrating: kill switch (system-wide emergency disable), global rate limiting, access gate, 1MB body size limits, admin CORS enforcement, security headers (CSP, HSTS, X-Frame-Options), UUID request ID propagation, API versioning with Sunset/Deprecation headers, and auth assertion tracking.

The PostgreSQL schema comprises 93 models with comprehensive indexing on high-cardinality columns and compound keys. Configurable per-organization retention policies (7–365 days or unlimited on Enterprise). The core is Apache-2.0 and self-hostable — you can run the identical API in your own VPC.

Data handling: a decision record persists the scenario text and raw input/output (JSON), the verdict, and tenant scoping; PII redaction (lib/pii.ts) is available, retention is configurable per org, and secrets are encrypted at rest with AES-256-GCM (KMS-backed for enterprise). BYOK provider keys supplied by header are request-scoped (AsyncLocalStorage) and not persisted; dashboard-saved keys are encrypted at rest with only a prefix kept for display. For strict data-residency or air-gap requirements, self-host the Apache-2.0 core in your own VPC/region — there is no certified residency guarantee on the hosted path. See the whitepaper §13 and the Data Processing Agreement.

13. Compliance & Audit

OmegaEngine ships built-in compliance test mappings for 17 frameworks: OWASP LLM Top 10, OWASP Agentic Top 10, NIST AI RMF, EU AI Act, ISO 42001, SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR, CCPA, FedRAMP, CISA AI, Singapore PDPA, Brazil LGPD, Japan APPI, and the Australia Privacy Act.

All audit records are signed with HMAC-SHA256, providing tamper evidence (any modification invalidates the signature), non-repudiation (prove a specific decision at a specific time), and chain integrity (Merkle trees enable batch verification).

14. Performance

Designed for production-grade latency and throughput:

15. Security & Threat Model

A governance layer is only as good as the threats it actually defends. The assets protected are the integrity of each verdict, the audit trail, the authenticity of attestations, the Ed25519 signing key, and tenant/BYOK provider keys.

LLM providers are treated as untrusted (hence arbitration and BYOK isolation); the deterministic safety + policy core is trusted and self-hostable; the signing key never leaves the server; and the only thing a verifier must trust is the public JWKS. Out of scope: OmegaEngine governs the decision to act — it does not execute the action, and the integrating agent must treat denied/escalated as blocking.

16. Limitations & Honest Status

OmegaEngine is early-stage, and a top-tier system states what it does not yet do. We do not hold formal certifications (SOC 2, HIPAA, ISO, FedRAMP) — compliance mappings are self-assessed control readiness, and MITRE ATLAS mapping is self-assessed.

Safety recall is not 100%: the deterministic tier catches ~81% (94/116) at 0% false positives, and the combined two-tier system reaches 97.4% — but the LLM judge that closes the gap is default-off and adds latency and cost. The base decision engine is heuristic, not a trained model (consistent, free, unjailbreakable — but it relies on the LLM tier and arbitration for novel semantics). HMAC audit chains require the signing secret to verify; for verification by untrusted third parties, use the Ed25519 attestations and transparency log. And governance is not enforcement of the downstream effect — honoring a verdict is the integrating system's responsibility.

17. Competitive Landscape

OmegaEngine is, to our knowledge, the only platform that combines all of these capabilities at once:

18. Roadmap