Home / Architecture
DocumentVOL II / ARCHITECTURE
Version2026.04 — REV/A
Status5 ACCEPTED · 0 DEPRECATED
AudienceENGINEERS · TECHNICAL EVALUATORS
FIVE ARCHITECTURAL FOUNDATIONS — APRIL 2026

Architecture
is not opinion.

What follows is the technical spine of the company — five architectural decisions, written down. Each is an Architecture Decision Record: a decision, the context that forced it, the alternatives we rejected, and the consequences we accepted.

We publish these so any engineer, any technical procurement evaluator, any researcher can verify the company before engaging with sales. You should not have to talk to anyone to know whether we can do the work.

EACH ADR IS A LIVE DOCUMENT. WHEN A DECISION IS REVISED, THE PRIOR REVISION REMAINS — MARKED DEPRECATED. WE DO NOT REWRITE THE PAST.

Document outline

5 ADRs · 3 STRUCTURAL VIEWS · 1 REFERENCE DEPLOYMENT
ADR-001
FOUNDATION i — RUNTIME LOCALITY

Edge-first,
not cloud-first.

STATUS · ACCEPTED · 2026.04
§ 1.0DECISION

The decision

DECISION · ADR-001
All decision-grade computation happens at the edge. Cloud is optional — never required.
§ 1.1CONTEXT

Context

Defence systems must operate where the cloud cannot reach. The link drops on contested airspace, the GPS denies on contested ground, the satellite passes on a 90-minute cycle. A cloud-first architecture inherits its failure modes — and the failures are correlated with the moments the system is most needed.

The standard industry pattern — push compute to a hyperscaler region, cache at the edge — is built for advertising, retail, and consumer products. It is the wrong shape for defence, where the worst-case latency budget is set by an adversary, not by a CDN.

§ 1.2ALTERNATIVES

Alternatives considered

  • → A Cloud-first with edge cache. Standard hyperscaler pattern. Aggressive caching at the edge, fall back to cloud for compute. REJECTED
  • → B Hybrid-first with tiered fallback. Try cloud, then regional, then edge. Continuously rebalance. REJECTED
  • → C Edge-first; cloud as cold storage and training only. Decision-grade at platform; archival and training in sovereign cloud. ACCEPTED
§ 1.3CONSEQUENCES

Consequences

+

What we gain

  • Decision-grade systems that continue to operate when the link is gone.
  • Latency budget set by physics, not by network.
  • No upstream dependency that can be denied by adversary or vendor.

What we accept

  • Higher per-platform compute cost — every node carries real silicon.
  • Stricter performance budgets — model architecture decisions cannot be deferred to the cloud.
  • More complex deployment — heterogeneous hardware as a first-class concern.
§ 1.4SEE ALSO

See also

दृष्टि Drishti — fusion at edge सुरक्षा Suraksha — sovereign runtime MIS-01 — Theatre Watch ADR-005 — Graceful-degraded
ADR-002
FOUNDATION ii — SYSTEM SHAPE

Composable,
not coupled.

STATUS · ACCEPTED · 2026.04
§ 2.0DECISION

The decision

DECISION · ADR-002
Each platform exposes a typed contract. The system composes through interfaces — never through implicit coupling — so customers can buy one platform without buying all four.
§ 2.1CONTEXT

Context

Most defence software fails procurement because it is sold as a monolith. The integrator has only one of four needs; the vendor insists on selling all four. The deal collapses or the customer is over-sold and under-deployed.

Drishti, Vyooha, Nirnaya, Suraksha each address a distinct procurement centre. If any one of them required the other three, the company could not exist. The architecture must reflect the way customers actually buy.

§ 2.2ALTERNATIVES

Alternatives considered

  • → A Monolithic deployment. One binary, one schema, one upgrade cycle. Highest internal velocity, lowest customer flexibility. REJECTED
  • → B Microservices with shared database. Each platform a service; common backing store. Couples upgrade and recovery cycles. REJECTED
  • → C Independent platforms with typed contract surface. Each platform owns its data, exposes a versioned contract, composes through interfaces. ACCEPTED
§ 2.3CONSEQUENCES

Consequences

+

What we gain

  • A customer can buy Drishti alone and deploy it inside an existing fleet.
  • Independent upgrade cycles — no all-or-nothing rollouts.
  • Platform-level reasoning about consistency, recovery, ownership.

What we accept

  • Higher internal integration cost — contracts are versioned, deprecated, upgraded carefully.
  • More careful evolution — breaking contracts is a procurement event, not a sprint task.
  • Some duplication across platforms — each owns its observability, telemetry, audit.
§ 2.4SEE ALSO

See also

सब All four platforms Composition matrix ADR-003 — Provenance preserved
ADR-003
FOUNDATION iii — INTERPRETABILITY

Provenance preserved,
not black-box.

STATUS · ACCEPTED · 2026.04
§ 3.0DECISION

The decision

DECISION · ADR-003
Every recommendation, every fused track, every action — carries its provenance chain, its calibrated confidence, and its counterfactual. If we cannot explain why, we do not surface it.
§ 3.1CONTEXT

Context

Operators must be defensible. After-action review must be possible in days, not weeks. A decision made under tempo, in good faith, by a watch officer, must be reconstructable — sensor by sensor, fusion step by fusion step — six months later, in a court, in front of a panel of three.

A black-box recommendation engine cannot meet that bar. "The model said so" is not a defence. It does not survive the first Question Hour. It does not survive the first procurement review. It does not survive the first journalist with a Right to Information request.

§ 3.2ALTERNATIVES

Alternatives considered

  • → A Black-box ML with post-hoc explainability layer. Train any model; reconstruct an explanation later via SHAP, LIME, attention maps. REJECTED
  • → B No ML — only rules and classical fusion. Fully interpretable, lower performance, abandons measurable gain. REJECTED
  • → C Provenance preserved end-to-end. Every input, every transform, every model output recorded. Confidence calibrated. Counterfactual computed. Signed. ACCEPTED
§ 3.3CONSEQUENCES

Consequences

+

What we gain

  • Decisions defensible at any tribunal — court, court-martial, parliament.
  • After-action review takes minutes, not weeks.
  • Operators trust the system because they can see why.

What we accept

  • 8–12% inference overhead for provenance instrumentation.
  • Larger audit storage — every event chained, signed, retained.
  • Some model classes are off the table — opaque architectures we cannot trace.
§ 3.4SEE ALSO

See also

निर्णय Nirnaya — option surface MIS-05 — Command Tempo ADR-004 — Sovereign-bounded
ADR-004
FOUNDATION iv — TRUST BOUNDARY

Sovereign-bounded,
not global.

STATUS · ACCEPTED · 2026.04
§ 4.0DECISION

The decision

DECISION · ADR-004
No model, no weight, no operational datum leaves the trust boundary. The trust boundary is enforced at the kernel — not at policy. India is the boundary.
§ 4.1CONTEXT

Context

Indian operational data, Indian models, Indian weights — must remain inside Indian jurisdiction. This is not a tradeoff to be negotiated against cost or convenience. It is the precondition for the company to exist as a sovereign supplier.

Industry-standard "India-region" hosting on a foreign hyperscaler does not satisfy this. Jurisdiction is operator, not data location. A foreign operator with India-region storage answers to its home regulator first, every time.

§ 4.2ALTERNATIVES

Alternatives considered

  • → A Foreign cloud, India region. Use AWS / GCP / Azure India regions for non-classified workloads. REJECTED
  • → B Federation with allied clouds. Trust boundary expanded to include Five Eyes / QUAD partners. REJECTED
  • → C Sovereign-only with kernel-enforced boundary. All workloads on India-jurisdiction infrastructure. The boundary is checked in code, not in slides. ACCEPTED
§ 4.3CONSEQUENCES

Consequences

+

What we gain

  • The company can be procured by India's most sensitive customers — without exception or carve-out.
  • Sovereignty is the default, not a feature flag.
  • No foreign telemetry, no foreign auditors, no foreign export-control review.

What we accept

  • Cannot use cheapest available training compute — must train inside India.
  • India-only deployment topology — allied programmes negotiated separately.
  • Some commodity tooling unavailable; we build sovereign equivalents.
§ 4.4SEE ALSO

See also

सुरक्षा Suraksha — sovereign stack MIS-02 — Maritime Domain Company principles
ADR-005
FOUNDATION v — FAILURE MODE

Graceful-degraded,
not binary.

STATUS · ACCEPTED · 2026.04
§ 5.0DECISION

The decision

DECISION · ADR-005
Every component has a degraded mode. No silent failures. The state of the system is always knowable, always communicated, always logged — degraded beats silent.
§ 5.1CONTEXT

Context

The worst failure mode in a defence system is the one where the operator does not know the system has failed. A binary up/down failure model masks the long tail of partial failures — a sensor with a bad clock, a node with high tail latency, a model with quietly degraded confidence.

Operators trust the system in proportion to how clearly the system tells them what it doesn't know. A system that pretends to be healthy when it isn't — or reverts to default values without telling anyone — is a system the operator stops trusting after the first incident.

§ 5.2ALTERNATIVES

Alternatives considered

  • → A Fail-fast with silent fallback. Crash hard on detected error; orchestrator restarts. Hides the failure window from operators. REJECTED
  • → B Best-effort silent. Continue running with default values when sensors are degraded. Looks like success; isn't. REJECTED
  • → C Explicit degraded mode at every level. Each component reports its mode — full / reduced / essence — with reason. Operator surfaces the worst mode in the chain. ACCEPTED
§ 5.3CONSEQUENCES

Consequences

+

What we gain

  • Operators trust the system because they know what it knows.
  • No silent regressions — degradation is a first-class signal.
  • Post-incident review starts from a known state, not a reconstruction.

What we accept

  • Slightly more complex error paths — every component implements degraded.
  • More UI work — operator surface must communicate degradation calmly, not alarmingly.
  • Slower in some edge cases — we will not "make a number up" to maintain throughput.
§ 5.4SEE ALSO

See also

व्यूह Vyooha — distributed initiative दृष्टि Drishti — bandwidth-aware downgrade MIS-04 — Autonomous Tasking ADR-001 — Edge-first
VOL II / PART TWO — STRUCTURAL VIEWS

The same system,
seen from three directions.

Each ADR above is a single decision. The structural views that follow show how those decisions compose into a system you can deploy. The layer stack. The three planes. The reference deployment.

The layer stack

FIG · A / VERTICAL SECTION · § 6

A vertical section through the system — from the operator's eyes at the top, down through the four platforms, to the silicon at the bottom. Read it like an architect's section drawing: what sits on what, and where the load is borne.

The dashed rust line is the trust boundary. Anything above it is in scope of our software guarantees; anything below is the customer's, the partner's, or ours-as-hardware-supplier — but it is always inside Indian jurisdiction, by ADR-004.

The layers above the trust boundary are composable by ADR-002: a customer can deploy any subset, in any order, on any compatible substrate.

FIG · A — LAYER STACKREV/A
L · 7 OPERATOR SURFACE Nirnaya
L · 6 DECISION LAYER Nirnaya · Drishti audit
L · 5 COORDINATION Vyooha
L · 4 FUSION Drishti
L · 3 RUNTIME Suraksha runtime
— BNDRY — ↑ TRUST BOUNDARY · ENFORCED IN CODE ↑ ADR-004
L · 2 KERNEL / OS Sovereign Linux · BharOS
L · 1 COMPUTE Jetson · AMD V · Shakti · Param
L · 0 FACILITY Customer / Yotta / CtrlS · India

Three planes

FIG · B / CROSS-SECTION · § 7
PLANE 01 / DATA

The data plane.

How sensor events become decisions. The hot path. Sub-second budget. Owned by Drishti, traversed by Vyooha and Nirnaya.

SENSOR FUSE DECIDE SENSOR CORE SURFACE SENSOR → < 1 s
INVARIANT Provenance is preserved at every hop. No fused track exists without its full sensor chain.
PLANE 02 / CONTROL

The control plane.

How the mesh organises itself. Leader election, ROE distribution, mode transitions. Owned by Vyooha, hosted by Suraksha.

N1 N2 LEAD elected N3 N4 ↑ ROE · MISSION GRAMMAR ↑
INVARIANT Lead is elected, not assigned. Re-elects on loss. ROE travels with the mesh — never assumed at a node.
PLANE 03 / AUDIT

The audit plane.

How every event becomes defensible record. Cryptographically chained, signed at each hop, exportable in CERT-In format. Owned by Suraksha.

EVT 1 EVT 2 EVT 3 EVT n CHAINED LEDGER signed · auditable → EXPORT · CERT-IN FORMAT
INVARIANT Events are append-only. Chain is signed at every hop. Replay is exact. The past is never rewritten.

Reference deployment

FIG · C / DEPLOYMENT TOPOLOGY · § 8

What a customer actually receives, on day one of operation. Not an architecture diagram — a deployment topology, with explicit boundaries between what we ship, what the customer hosts, and what the partner integrates.

Three boundaries are non-negotiable: the trust boundary (ADR-004), the platform contract (ADR-002), and the operator authority line — beyond which no autonomous action is permitted without an operator's commit.

  • → 01Forward edge: sensors, autonomy, on-platform fusion. Drishti and Vyooha live here.
  • → 02Theatre core: regional aggregation, cross-platform mesh, decision graph. Hosted on customer or partner facility.
  • → 03Command surface: operator stations, audit chain, after-action review. Nirnaya operator surface lives here.
  • → 04Sovereign substrate: Suraksha core, model vault, audit ledger. India-region only — by ADR-004.
FIG · C — REFERENCE DEPLOYMENTREV/A
01 · FORWARD EDGE SENSOR UAS / UGV दृष्टि DRISHTI · ON-PLATFORM VYOOHA · NODE 02 · THEATRE CORE DECISION GRAPH · CORE composed VYOOHA mesh aggregator DRISHTI regional fuser SURAKSHA · CORE orchestrator · vault · audit 03 · COMMAND SURFACE निर्णय NIRNAYA · OPERATOR AUDIT REVIEW FIELD EUD · TABLET → FUSED → OPTIONS 04 · SOVEREIGN SUBSTRATE · INDIA-REGION ONLY सुरक्षा SURAKSHA · ORCHESTRATOR · MODEL VAULT · AUDIT LEDGER facility · Yotta / CtrlS / customer DC · India only ↑ HOSTED ON ↑ TRUST BOUNDARY · ADR-004 ↑ ↓ OPERATOR AUTHORITY · ANY ACTION BELOW REQUIRES HUMAN COMMIT PHYSICAL ACTION · KINETIC · EW · EFFECTOR
→ TECHNICAL DEEP DIVE · BY APPOINTMENT

Architecture is not a sales conversation.
It is a technical one.

Each ADR has a longer technical companion document — including code samples, performance characteristics, formal verification status, and red-team test results — released under non-disclosure to qualified evaluators.

REQUEST TECHNICAL DEEP-DIVE → JOIN US ON THIS →