Integration & Deployment

OmegaOS™ Kernel deploys as an overlay on your existing infrastructure.
No migration required. No application-code changes in the common case. Evidence recording from day one.

Overlay, Not Replacement

OmegaOS™ Kernel does not replace your identity provider, your API gateway, or your policy decision point. It wraps them. It creates a unified evidence layer where every authorization is evaluated, recorded, and verifiable.

Your existing PDP continues to operate. OmegaOS™ Kernel records what it decided, adds three-state evaluation, and produces exportable evidence packs.

Classification: Sovereign decision infrastructure. Overlay for authorization infrastructure.
Function: Records authorization decisions with full proof lineage. Exports evidence packs with SHA-256 integrity hashes and optional Ed25519 attestation (when signing keys are provided).
Relationship: Wraps your existing PDP (OPA, Cedar, custom). Adds evidence recording and three-state conflict detection.
Deployment: Overlay. No replacement of existing systems. No application-code changes required; gateway and routing wiring may apply.

Overlay Architecture

OmegaOS™ Kernel deploys on your existing stack. It does not replace — it wraps.

Your Applications Services consume decisions via gateway

OmegaOS™ Kernel — Evidence Runtime Three-state evaluation · Evidence recording · Proof export

Your Infrastructure Identity providers · API gateways · Databases · Existing PDP

No migration required. OmegaOS™ Kernel observes your existing authorization flows first. It records what your current system decides. When you are ready, it introduces three-state evaluation alongside — not instead of — your existing PDP. Gateway wiring and routing configuration may be needed depending on your deployment pattern.

Shadow Mode

Compare OmegaOS™ Kernel decisions against your existing PDP in real time. Identify mismatches before enforcement.

Mismatch Detection

In shadow mode, the gateway evaluates every request through both your upstream PDP and the OmegaOS™ Kernel resolution engine. It returns your PDP's verdict to the caller — no disruption — but records both outcomes and flags any mismatch.

Mismatches are counted in Prometheus metrics (upstream_del_mismatches) and included in the decision response. This gives you a precise measure of divergence before you switch to enforce mode.

Metric	Meaning
Match	PDP and OmegaOS™ Kernel agree on the outcome
Mismatch	PDP and OmegaOS™ Kernel disagree — flagged for review
Conflict	OmegaOS™ Kernel detects contradictory evidence (Indeterminate)

 # Shadow mode response — mismatch detected { "decision": "ALLOW",
"source": "upstream",
"verdict_diff": { "del_result": "DENY",
"upstream_allowed": true,
"match_status": "mismatch" } }

Fail-Closed by Default

When the system cannot evaluate, it denies. No silent pass-through.

OPA Unreachable

If the upstream PDP is unreachable in enforce mode, the gateway returns 403 Forbidden. Decisions are not guessed. The failure is logged with full context.

Configurable Fail Mode

Fail mode is controlled by OPA_FAIL_MODE. Default: closed. In closed mode, any evaluation failure blocks the request. In open mode (not recommended for production), failures are logged but access is allowed.

Advisory-Only Design

OmegaOS™ Kernel produces structured decisions that inform human operators. It does not autonomously execute downstream actions. In observe and shadow modes, it is purely advisory. In enforce mode, it applies access verdicts (200/403/409) but delegates business logic to the calling system.

Integration Patterns

Three deployment patterns. No application-code changes required.

Pattern	Description
Sidecar	Deploy the gateway as a sidecar container. Route authorization calls to `localhost:3200`. Kubernetes-native.
Reverse Proxy	Place the gateway in front of your API. Works with nginx `auth_request`, Envoy ext_authz, or any subrequest-capable proxy.
Parallel Pipeline	Run in shadow mode alongside your existing PDP. Compare decisions in real time. Migrate to enforcement when confidence is established.

Configuration

All runtime configuration via environment variables. Mode switching is a single variable change, designed for zero-downtime deployment.

 # Sidecar — observe mode
GATEWAY_MODE=observe
GATEWAY_TENANT_ID="your-tenant-uuid" # Shadow — compare with existing PDP
GATEWAY_MODE=shadow
OPA_ENABLED=1
OPA_URL="localhost:8181"
HOVO_LICENSE_B64="..." # Enforce — system is authoritative
GATEWAY_MODE=enforce
HOVO_LICENSE_B64="..." # DENY → 403, CONFLICT → 409, ALLOW → 200

Rollback is one variable. Set GATEWAY_MODE=observe to return to logging-only at any time. No restart required in the common case. Recorded data is preserved.

RuntimeRust

APIOpenAPI 3.1

DeploymentDocker / K8s / Helm

IsolationRow-Level Security

Availability 2026

OmegaOS™ — Sovereignty Overlay

OmegaOS™ extends the Kernel into a sovereignty governance platform — an operational layer that wraps your entire infrastructure into a unified decision envelope.

The Kernel and Decision Evidence Log are operational. The multi-engine governance overlay — including inter-engine trust boundaries and decision propagation rules — is in implementation phase.

OmegaOS™ is not an operating system. It is an operating layer. It does not replace your infrastructure — it governs how authorization decisions flow through it.

OmegaOS™ Kernel = Execution Governance Layer (evidence runtime)
OmegaOS™ = Sovereignty Overlay (governance envelope over OS / K8s / cloud)

Your Applications Services consume decisions via gateway

OmegaOS™ — Sovereignty Overlay Policy orchestration · Evidence collection · Decision governance

OmegaOS™ Kernel — Execution Governance Layer Three-state evaluation · Proof generation · Conflict detection

Your Infrastructure Identity providers · API gateways · Databases · Existing PDP

Evidence by Design

OmegaOS™ Kernel does not ask you to trust the system. It produces the evidence for you to verify. Every decision, every proof, every export — recorded, traceable, reconstructable.

Start a Pilot Documentation