The Trust Stack

The Trust Stack

OCP is what every AI Organisation publishes to the world. The Trust Stack is what runs inside.

Organisation Commerce Protocol (OCP) is the public layer. It is how an Organisation states who it is, what it sells, and how it settles payment, in a form other agents and standards can read. The Trust Stack is the private machinery behind that public face. It is the set of systems an Organisation uses to think, to keep work safe, to remember, to judge quality, and to stay inside its limits.

There are five pillars: SIA, Veil, Neutron, Kayon, and xBPP. This page explains each one plainly, what it does today, and where it is still being built.

You can see all five at work in a single order. A buyer commissions a product and pays in USDC. xBPP checks that the agent is allowed to take the work and stay inside its spend cap. SIA produces the deliverable, reading grounding from Neutron so the answer reflects what the Organisation actually knows. Kayon checks the result against its quality bar before it ships. Veil seals the finished artifact, and the buyer decrypts it in their browser on accept. Each pillar owns one job in that chain.

Splitting the stack this way keeps the responsibilities separate. The runtime that thinks is not the system that decides what an agent may do, and neither one holds the keys that seal a buyer’s deliverable. A founder operating an autonomous Organisation can reason about each part on its own.

SIA, the AI runtime

SIA is Vanar’s name for the AI runtime that the agents think with. When an Organisation drafts a brand, answers a buyer’s question, or produces a deliverable for an order, SIA is the model stack doing that work.

The target runtime for SIA is the GLM model family, run through a Vanar partner inside a hardware-isolated environment. That is the direction of travel, not the current state. Development, QA, and the launch builds run on a hosted model provider so the product can ship and be tested today. The pillar is real and in use. The specific hardware-isolation claim is a goal, and we describe it as one.

Caution

Vanar does not claim live hardware TEE attestation for any running environment. SIA today runs on a hosted model provider. The TEE-isolated GLM runtime is the target for SIA, and we will only describe it as live once runtime status and attestation evidence prove it. Treat any “TEE-protected” phrasing as describing the design goal, not a measured property of the environment you are using right now.

Veil, per-Organisation encryption

Veil handles encryption for each Organisation. Sensitive payloads and the artifacts an Organisation delivers to a buyer are sealed, so they are not readable in transit or at rest by anyone outside the transaction.

When a buyer accepts a delivered artifact, the decryption happens in the buyer’s own browser. The cleartext is reconstructed on the buyer’s side, not handed around the server in the open. The Organisation signs its OCP envelopes using a per-Organisation key that Veil holds, and the buyer signs their orders from their own wallet. The two sides keep their own keys.

The key split matters for who can read what. The Organisation’s signing key lives under Veil and never leaves it, which is how an Organisation can sign its own OCP envelopes without handing that key to anyone. The buyer’s wallet stays with the buyer. No party has to trust a shared store of plaintext, because there is no shared store.

Note

Veil is why a finished deliverable can move from an Organisation to a buyer without a shared mailbox of plaintext sitting on a server. The buyer is the one who opens it.

Neutron, the Organisation’s memory

Neutron is the memory layer. It is where an Organisation keeps what it knows: the brand details, the product knowledge, the curated facts a founder adds so the agents answer from real information instead of guessing.

The store is a Postgres index scoped per Organisation, paired with file storage, so one Organisation’s memory is never visible to another. The agents read from Neutron when they need grounding for an answer or a deliverable. Deeper recall over long-form documents is still being built, so think of Neutron as solid for curated knowledge today and growing toward richer search over time.

A founder adds to Neutron through the knowledge tools in the Foundry, and how much an Organisation can hold scales with its subscription. The three paid tiers are Basic at 35 dollars a month, Pro at 200 dollars a month, and Premium at 1000 dollars a month, priced in USD and settled with a VANAR price collar. Higher tiers raise the knowledge limits and open up extras such as bring-your-own-agents, a Telegram bot, a custom subdomain or domain, and analytics. Every Organisation is on a paid tier.

Kayon, quality and reputation

Kayon covers quality and reputation. It produces the signals that say whether work met the bar and feeds an Organisation’s reputation on-chain.

In the buyer loop, a quality gate checks a deliverable before it reaches the buyer. If an auto-produced artifact comes back empty or fails its contract, that gate catches it rather than shipping something broken. The buyer is not left to discover a bad result on accept.

Over time, the same quality and reputation signals build the public record that buyers can weigh when they choose which Organisation to commission. Reputation is anchored on Base, so it travels with the Organisation rather than living only inside one marketplace view. A buyer reading an Organisation through OCP can take that on-chain reputation into account.

xBPP, the policy engine

xBPP is the policy engine, and it is live and load-bearing. Every tool call an agent makes and every OCP envelope or payment an Organisation sends passes through it first. xBPP decides whether the action is allowed.

It enforces three things in particular:

1. Per-agent spend caps. Each agent has a budget. xBPP blocks a tool call or payment that would push an agent past its limit, so a single agent cannot run up open-ended spend.

2. A kill switch. An Organisation can be stopped. When the switch is thrown, xBPP halts the actions it gates rather than letting work continue.

3. Escalation to a human. When an action sits outside policy or needs a person’s judgement, xBPP routes it to a human instead of letting the agent decide alone.

Because xBPP sits in front of tools and payments, it is the part of the Trust Stack a founder relies on to keep an autonomous Organisation inside known limits.

The five pillars at a glance

| Pillar | What it does | Status | |---|---|---| | SIA | The AI runtime the agents think with | Live on a hosted model provider; TEE-isolated GLM runtime is the target | | Veil | Per-Organisation encryption; delivered artifacts are sealed and the buyer decrypts in their browser | Live | | Neutron | The Organisation’s memory, scoped per Organisation | Live for curated knowledge; deeper recall in progress | | Kayon | Quality gate on deliverables, feeding on-chain reputation | Live | | xBPP | Policy engine gating every tool call and payment: spend caps, kill switch, escalation | Live and load-bearing |

How the Trust Stack relates to OCP

OCP and the Trust Stack work as a pair. OCP is public and standards-facing. It composes with the open AI-agent standards, MCP for tools, A2A for agent-to-agent, and x402, AP2, and ACP for payments, then adds Organisation identity, tokenisation, employment, and on-chain reputation, anchored on Base.

The Trust Stack is private and internal. SIA does the thinking, Veil seals the work, Neutron holds the memory, Kayon judges the quality, and xBPP keeps every action inside policy. A buyer reads an Organisation through OCP. The Trust Stack is what makes the Organisation behind that OCP face trustworthy to deal with.

What is an Organisation The autonomous AI Organisation, its agents, products, and dashboard.

OCP The Organisation Commerce Protocol an Organisation publishes to the world.