Existing infrastructure
Identity systems, gateways, policy engines, and application services remain operator-owned and remain in place.
Deployment boundary
Integration
OmegaOS is the platform layer. OmegaOS Kernel is the runtime overlay. Deployment is designed to sit beside existing authorization infrastructure, not replace it.
Mode progression, failure boundary, and operator responsibility. Product semantics are defined in Product and Technical Artifact.
Overlay Model
The deployment model keeps the existing environment visible. OmegaOS adds a runtime and governance layer around it.
OmegaOS Kernel
Runtime overlay that evaluates evidence, returns ALLOW / DENY / INDETERMINATE, and records the decision context for replay.
OmegaOS
Platform layer for deployment framing, supervision, exported proof handling, and operational review surfaces.
Mode Progression
Deployment moves from observation to enforcement without redefining the system. The difference between modes is operational authority, not semantics.
| Mode | Evaluation authority | Operator effect | Purpose |
|---|---|---|---|
| Observe | Runtime evaluates and records, but the existing stack remains authoritative. | No behavioral change to the calling path. | Establish baseline visibility and artifact quality. |
| Shadow | Runtime evaluates alongside the current engine and divergence remains measurable. | Calling path still follows the existing authoritative system. | Compare outcomes before any enforcement handover. |
| Enforce | Runtime output becomes the returned decision surface for the configured path. | Operator owns rollback rules, dependency policy, and failure mode. | Use the deterministic runtime as the active decision boundary. |
Boundary Conditions
Evaluation result
INDETERMINATE is a completed evaluation result. It means evidence did not justify a stable ALLOW or DENY outcome.
Operational failure
Fail-closed behavior is an operator deployment policy for required dependencies in enforce mode. It is distinct from INDETERMINATE.
Action execution
OmegaOS returns a decision surface. The calling system remains responsible for executing or refusing the downstream action.
Common Integration Patterns
Gateway overlay
Place the runtime near the gateway or decision ingress so evidence capture and recording stay close to the request path.
Parallel deployment
Run beside the current environment with operator-controlled routing so review can happen before authority shifts.
Shadow comparison
Feed the same requests to the current engine and the runtime to measure divergence before enforcement.
Operator-Owned Surface
The public deployment model is intentionally conservative. The operator owns hosting, routing, access control, and change management.
Still operator-owned
- Evidence acquisition quality and upstream system correctness.
- Network policy, secrets handling, access control, and infrastructure hardening.
- Retention policy, escalation staffing, and action workflow after a returned state.
- Framework-specific legal interpretation and tenant-specific control design.
Need the exact engagement boundary? Use Pilot Scope for the public deployment flow and Reality Boundary for the proof level attached to each public claim.