Sovereign Risk Infrastructure · KOKON Control Company
KOKON Control Company
Find where your company silently leaks money and time. Math first, agents second, governor always, audit forever.
Institutional diagnostic, control and managed-execution system for companies and digital ecosystems. KOKON is not another agent platform. At its core sits a mathematical diagnostic kernel that ingests data on processes, decisions, models, queues, risk, bottlenecks and money loss. Agents work as the second layer — they do not invent conclusions; they interpret the computed picture, form recommendations, and route every action through a Governor. Each step is sealed into an audit-grade WORM trail.
CONTROL COMPANY · PRIVATE ACCESS · CHECK-UP READY
Idempotent
DLQ
Stable Ref-IDs
S4 · What KOKON does · company MRI
Math kernel, agents, governor, eternal audit — in one system.
KOKON is built for two operating modes that share one architecture. Mode A — manage your own ecosystem: govern your portfolio of companies, projects, agents, models and decisions through a single control plane. Mode B — onboard external companies for deep diagnostics: connect KOKON to the target company’s services, processes, documents, queues and APIs, build its operating map, find where money, time and managability leak out, and translate findings into a controlled action plan.
Output is not an «AI report.» It is a diagnostic packet: process-and-system map, math diagnostics, compliance and model-risk assessment, recommendation portfolio, controlled action plan, approval and action receipts, full audit trail, executive-ready summary.
Manage Your Own Ecosystem
Single control plane over opportunities, approvals, agent orchestration, voice intelligence, multi-project rollout. Stable contract-first integration with product modules; signed, idempotent webhooks; no shared state, no shared blast radius.
Company Check-Up · External Onboarding
Connect to CRM / ERP / Jira / BI / APIs / logs. Scan processes, decisions, models, queues. Build the company map. Compute losses. Score risk. Draft a recommendation portfolio. Translate it into governor-gated, audit-sealed actions. Loss map and recommendations within 24–72 hours.
Diagnostic Packet, Not a Slide Deck
Every analysis converges on a single signed packet: process map, math diagnostics, model-risk and compliance findings, recommendation portfolio, controlled action plan, approval & action receipts, audit trail, executive summary. Reproducible, replayable, defensible.
S4.5 · ARIN · peer institutional risk-decision plane
Two control planes, one event backbone.
KOKON governs the company operating layer: where the organisation silently leaks money and time — detect, quantify, recommend, gate, audit. ARIN governs the institutional risk-decision layer: what the institution should decide under risk — Council, Red Team, Governor, Stress Propagation Engine, sealed verdict chain.
Company Operating Layer
Company diagnostics, process topology, loss-map computation, recommendation portfolio, P0/P1/P2 action plan, sealed approval and action receipts.
Institutional Risk-Decision Layer
22-agent Council, adversarial Red Team, Governor gates, Stress Propagation Engine, evidence neighbourhood, sealed verdict chain and WORM decision ledger.
ARIN verdicts are not free-text consensus. The Stress Propagation Engine uses damped weighted graph diffusion with bounded activation across an economic-dependency substrate — entities, supply lines, holders, regulatory triggers and market-regime states. The public claim boundary is explicit: calibrated on 62,500 sealed historical cases, empirical F1 = 0.889 on the sealed evaluation set, with every output sealed as a verdict bundle carrying verdict_id, evidence neighbourhood and hash-chained traceback.
Cross-plane receipt binding
Every KOKON action receipt that touches institutional risk can carry arin_verdict_id inside external_refs, anchoring the operating action to ARIN’s sealed verdict chain.
Directed evidence graph
News event, ARIN triage, brain audit, KOKON loss recompute and final sealed receipt become a graph of references — not a fragile one-way audit note.
Model-risk posture
The council interprets deterministic evidence; it does not invent the core risk state. That is the difference a model-risk reviewer can inspect.
S5 · Detection surface · eight measurable failure modes
Where, how, and how much the company is leaking.
KOKON does not ask «is the company healthy?» It computes where, how, and how much the company is leaking time, decisions and capital. The diagnostic kernel runs 16 pinned modules — process_mining, risk_core, financial_ratios, edgar_xbrl_parser, peer_benchmark, unit_economics, pricing_analytics, sales_pipeline, lm_sentiment, company_loss_detector, narrative_synthesis, agent_assessor, lineage_worm, arin22_kernel, and two further modules — each addressable by content-SHA. Diagnostic modules are bit-exact for identical inputs; cross-plane queries are audit-id traceable to the exact substrate snapshot and query result at decision time. Outputs roll up into the eight surfaces below:
S6 · Math-first architecture · why this is stronger than ordinary AI agents
Numbers, then narrative, then governor-gated action, then audit.
Ordinary agent platforms answer with text. KOKON answers with numbers, then narrative, then governor-gated action, then audit. Each layer feeds the next. Removing any layer breaks the system — that is the architectural commitment.
Diagnostic Kernel — Numbers Before Narrative
Before any agent speaks, the kernel computes the operating picture across 16 pinned modules — each addressable by content-SHA, with bit-exact reproducibility for identical diagnostic inputs. The math families include risk math (VaR, CVaR / Expected Shortfall, EVT-POT, Monte Carlo, PCA), operations math (process mining, queue pressure, transition latency, rework ratios, time-in-state histograms), financial diagnostics (vendor concentration, DSO, AP terms, inventory aging, CCC, headcount ratio, flux variance, peer benchmark, unit economics), and network reasoning (graph centrality, sole-source dependency edges, blast-radius walk across the institutional knowledge substrate).
Reproducibility scope is explicit: diagnostic kernel modules are bit-exact on identical inputs; cross-plane queries against the knowledge substrate, news streams, or market state are audit-id traceable, so replay reconstructs the exact substrate snapshot and query result at decision time.
KOKON Cockpit Demonstration
22-Agent Council — Interpret, Don’t Invent
Agents receive an already-computed picture and produce findings within their competence. They never originate numbers. Roles include compliance, founder control, pipeline, audit, regulatory trigger, voice operator, council moderator and adversarial validator. Each verdict is calibration-weighted (confidence × historical reliability) before the council finalises.
Governor — No Direct Action · P0 / P1 / P2 Action Plan
No agent recommendation reaches the outside world directly. Every output passes through ActionPlanEngine, which classifies each item: P0 blocks until a human signature is recorded, P1 requires explicit operator approval, P2 is advisory. Only then does it route through a controlled action layer with budget envelopes, idempotent execution, and replay protection.
WORM-Sealed Decision Trail — Shipped, Not “Ready”
Every decision, recommendation, approval and action is sealed end-to-end: lineage_worm module pins lineage, ReceiptBundle.PrevSHA → ChainSHA chains each receipt to its predecessor, NDJSON journals persist append-only state, HMAC envelopes sign every outbound delivery, and a replay-protected dedupe store rejects duplicate processing.
Each receipt also carries external_refs — typed cross-system anchors such as e2e_run_id, arin_verdict_id, brain_audit_id, news_event_id, and nightly_run_id. The result is a directed evidence graph, replayable across phases and planes: from any decision, walk back to every contributing input event, including across the KOKON / ARIN plane boundary. WORM is shipped, not aspirational.
S7 · Closed-loop decision cycle · OODA · continuous correction
Observe → Orient → Decide → Act → ↻
KOKON implements a continuous Observe → Orient → Decide → Act cycle — the OODA pattern formalised by Col. John Boyd (USAF, 1976) for time-critical command decisions. The loop wakes on events (market anomalies, security incidents, approval backlogs, regulatory changes), produces a decision through council consensus, and publishes outbound to the connected product planes with full audit trail.
Observe
Scan pending approvals, failed inbound events (24h), stalled opportunities, agent health. Event-trigger wake-up from external systems on market.anomaly, security.incident, regulatory.change.
Orient
Cross-reference observations against calibration profiles, historical patterns, and severity thresholds. A confidence-governor compares the proposed action’s confidence to the configured auto-escalation floor; anything below the floor is routed to human review. Specific threshold value is operator-configurable and not disclosed.
Decide
Agent Council session: multiple agents contribute weighted votes; a consensus mechanism combining confidence and historical reliability finalises the response. A budget gate separates autonomous actions from those requiring human approval; specific weighting scheme and budget envelope are operator-configurable.
Act
Execute decisions, publish outbound events to product planes, create audit entries. Alert deduplication windows prevent alert fatigue; durable workflows handle long-running multi-step actions.
S7.5 · Autonomy by design · nightly self-exercise
Every night, the system exercises itself.
At 02:00 UTC, KOKON’s in-app scheduler triggers a seven-subsystem battery without operator action. Each subsystem exercises a real production path, every outcome is sealed into the Phase 99 WORM ledger under nightly_mass_run:YYYY-MM-DD, and a house-style report is waiting in the cockpit when the operator opens it in the morning.
Knowledge Brain
Gateway health proves graph and vector substrate reachability; both layers must report healthy before downstream evidence is trusted.
Service Audit
Dual-perspective probes test all SAA modules from external and internal vantage points, distinguishing up, auth-gated, edge issue, degraded and down.
Full E2E Exercise
Nine-stage one-click run exercises brain, tenant, crypto, detectors and portfolio blast-radius paths with live progress polling.
Connector Autopilot
Every registered connector traverses in shadow mode and produces a why-blocked surface instead of a vague failure state.
Portfolio Systemic Risk
Economic-network reasoning walks portfolio holdings through the brain neighbourhood to test dependency propagation.
Synthetic News → Recompute
Synthetic stress event triggers triage, ARIN-style evidence lookup, and KOKON loss recompute to prove cross-plane orchestration.
Tenant Crypto Self-Check
Per-tenant envelope crypto is sealed and opened under the correct tenant; cross-tenant open must fail at the cryptographic layer.
Graph of Evidence
Each subsystem carries external_refs such as e2e run, brain audit, news event and nightly run IDs, making the nightly bundle walkable across layers.
S8 · Company check-up · eight-stage diagnostic cycle
Onboarding as a gated, signed, replayable diagnostic cycle.
KOKON turns an external company onboarding into a controlled diagnostic cycle implemented as StageLedger with eight named stages. Each stage emits its own artifact and seals its own receipt; Map and Math are deliberately separated (process topology is one thing, deterministic computation is another), Agents is its own stage (interpretation never short-circuits the math), and Receipts are sealed before Audit closes the chain. By stage 8 the company holds a complete diagnostic packet: math findings, recommendation portfolio, governor-approved action plan, signed receipts and a hash-chained audit trail.
Time to first loss-map: 24–72 hours from the first qualified inbound event window, requiring at least 24 hours of fresh inbound events from source systems. First measurable ROI signal: within 2 weeks of pilot start, measured against the top quartile of the recommendation portfolio. Signed diagnostic packet: delivered at pilot close — content-SHA addressable, hash-chained, replayable. Re-running: the eight-stage cycle is replayable from the audit trail; identical diagnostic inputs reproduce the same content-SHA per module, ItemIDs per recommendation, and PortfolioSHA per portfolio.
S9 · Diagnostic packet · eight headline artifacts
What the company receives — a signed packet, not a write-up.
The deliverable is a single signed packet, not an «AI write-up.» Eight headline artifacts with stable references — backed by additional engine-shipped artifacts (doctrine identity, per-brain calibration ledger, per-client condition history) that close the «why did the kernel decide this» question for model-risk reviewers:
S9.5 · Cross-phase evidence graph · not a chain, a directed graph
Audit can walk across phases, planes, and event types.
Conventional audit trails are linear hash chains: receipt N points to receipt N-1. KOKON’s Phase 99 ReceiptBundle carries a richer structure: every receipt also carries external_refs, a typed list of cross-system anchors. A sealed nightly run can reference the nightly run ID, an E2E run ID, ARIN verdict ID, brain audit ID and synthetic news event ID from one reconstructible bundle.
Brain health
external_refs: nightly_run_id. Proves the knowledge substrate was reachable before the report trusted graph/RAG evidence.
E2E chain
external_refs: nightly_run_id, e2e_run_id. Lands in a separate E2E ledger entry, itself a chain of stage receipts.
Synthetic stress ingest
external_refs: news_event_id, brain_audit_id, arin_verdict_id. Allows replay from final action receipt back to ARIN and brain-query evidence.
For a model-risk reviewer asking «prove every step of this verdict», the answer is not a single chain to walk. It is a directed evidence graph: each external reference lands in a corresponding sealed ledger in another phase, and the full reconstructible timeline is replayable from any decision back to every contributing input.
S10 · Architecture · control / product split
Two planes, one event backbone, zero shared blast radius.
KOKON Service (Go)
- Opportunities: lifecycle with workflow transitions (target → researched → draft_ready → sent → closed)
- Approvals: human-in-the-loop gate for high-stakes decisions
- Council Sessions: multi-agent voting with consensus finalization
- Voice Intelligence: session orchestration, STT/TTS queue, audio dispatch
- Agent Calibration: per-agent quality scoring with repeat penalties and automatic model escalation. An outcome feedback loop recalibrates agent weighting against realised outcomes once a minimum sample is reached; an adversarial validation layer blocks high-error verdicts. Specific scoring rules and recalibration cadence are internal.
- Knowledge Integration: a curated RAG Knowledge Corpus covering financial regulation, climate science, geopolitical, cyber-security, macro-economic and supply-chain domains is auto-injected into agent context before assessment. Entity Memory (persistent per-entity history with trend/anomaly detection) flows through every analysis cycle; a curated historical-event corpus feeds the stress-test baseline.
- Event Backbone: outbox relay with dead-letter, retry backoff, HMAC-signed delivery
Independent Domains
- Global Risk Intelligence: 3D Command Center, multi-factor stress, cascade analysis
- Risk Analyzer: VaR / CVaR, simulation engine, portfolio optimisation
- ARIN: peer institutional risk-decision plane with Council, Red Team, Governor and Stress Propagation Engine
- Investment Analytics: equity research, reporting agent
- Digital Assets Analytics: on-chain metrics, DeFi tracking
- News Analytics Portal: narrative intelligence, impact graph, NLP pipeline
S11 · Stable integration contract
Contract-first, idempotent, fully traceable.
KOKON treats each product module as an external system. Communication is contract-first, idempotent, and fully traceable through stable reference IDs.
Event Ingestion
Webhook-based event ingestion with HMAC signature verification. Idempotency via source_system + source_project + idempotency_key. Trace headers: X-External-Ref-ID, X-Audit-Reference-ID, X-Trace-Path.
Outbound Delivery
Auto-flush worker delivers queued events to configured targets. Dead-letter with retry backoff. Receipt closure tracking: coverage %, failure rate, SLO breach detection. Multi-target delivery for multi-project foundation.
Artifact References
External artifact links (analysis reports, risk assessments) are tracked by stable external_ref_id. Full timeline reconstruction: events → artifacts → outbound → approvals. Cross-repo correlation via audit reference.
S11.5 · Service audit · honest signal
Dual-perspective probes, not naive uptime.
Most uptime systems return a binary up/down. That collapses operational reality. KOKON’s in-app service audit probes each service simultaneously from external edge and internal loopback vantage points, then classifies the service into a state that operators can act on.
External + internal reachable
Both vantage points respond. The service is reachable and healthy.
Edge gate by design
External probe returns 401/403 while internal probe is healthy. Backend is fine; access control is doing its job.
Proxy fault, backend fine
External probe fails or returns 5xx while internal loopback is ok, pointing to nginx/proxy/edge rather than backend failure.
Mixed probe window
Signals conflict across the probe window; route to operator review instead of false certainty.
Internal probe failing
Backend is genuinely failing and should wake the operator.
WORM persisted
Probe snapshots persist to the WORM journal every audit window and feed the nightly mass-run sealed report.
S12 · Embedded operator UIs · high-density, EN / RU
Six operator surfaces. One control plane.
Every UI is embedded, high-density, and operator-grade. No external frameworks — pure HTML with EN / RU localization and no-cache runtime injection.
Executive Dashboard
KPI cards, prioritized alerts, bootstrap go/no-go, outbound receipt-closure, weekly markdown brief. Full launch-gate verdict with threshold checks.
Readiness Center
Readiness trend (24/72/168h), conformance scoring, readiness alerts. Auto-refresh mode (15s/30s/60s). One-shot packets for founder decision-making.
Voice Operations
Audio health, dispatch queue, STT/TTS job management. Session trace with audit references. Quick mode: microphone → LLM response → calibration feedback.
Council Interface
Create sessions, submit agent votes, finalize decisions. Consensus and tally output with full vote-attribution breakdown. Adversarial-validation challenge integrated as a mandatory step before finalisation.
Agents Live
Real-time status (busy/waiting/ready/offline). Calibration score/tier per agent. Work request pulse generation. Open voice job pressure monitoring.
Project Cockpit
Per-project go/no-go: readiness + conformance + receipt quality + contract status. Multi-project portfolio rollup. Markdown brief download.
S13 · For whom · audience profiles
Companies that want to know where they actually leak — not just «deploy AI.»
S14 · Architectural first principles · four institutional invariants
Implemented in code, not in policy.
KOKON is engineered against four institutional invariants. The premise is operational, not metaphorical: governance is a separate system from production, AI verdicts must be calibrated, weighted, and reversible, drift must be detected and corrected before it propagates, and tenant isolation must fail closed at the cryptographic layer. Each principle is implemented in code; each is auditable.
Control / Product Separation
The control plane shares no database, no in-process state, and no deployment cycle with any product module. Communication is exclusively via signed, idempotent webhooks and typed event contracts. A failure in one plane cannot cascade into the other; a governance change can be rolled back without touching production. Industry equivalent: financial-services two-tier governance pattern.
Calibration-Weighted Consensus
An agent verdict is never accepted as truth on first issue. Each is scored against a confidence floor; the council combines votes via a calibration-aware weighted average (confidence × historical reliability). Adversarial validation runs as a mandatory gate before finalisation. Below the auto-action floor, decisions are routed to a human-in-the-loop approval queue.
Drift Detection & Re-Calibration
Data staleness, model drift, and agent fatigue are tracked as first-class operational metrics. Repetitive low-quality output triggers automatic model escalation. A zero-outcome freeze prevents reliability inflation when ground truth is unavailable. The closed-loop OODA cycle acts as the continuous correction layer — re-evaluating, re-weighting, re-publishing.
Tenant Isolation Is Cryptographic
Each tenant’s data is sealed under a per-tenant envelope. A correct tenant can open its own sealed envelope; a cross-tenant open hard-fails at the cryptographic primitive, not at a policy layer that could drift or be misconfigured. The self-check runs inside the nightly mass-run and lands in the sealed evidence bundle.
S15 · Engage · pilot · company check-up
Conduct a company check-up. Connect your ecosystem. Get a loss-map in 24–72 hours.
KOKON Control Company runs as both the standalone control plane for the SAA Alliance ecosystem and as an external company check-up engagement. Production access is gated by Governor approval and operator role; integration contracts, webhook specifications and pilot scoping are documented for enterprise partners under NDA.