Your architecture.
Live. Enforced.
Substrate continuously reads your actual systems — GitHub, Kubernetes, Terraform, Jira — builds a live graph of reality, and blocks violations before they reach production.
AI queries the graph. Humans set the rules. The graph enforces them.
Reality, captured automatically.
Not drawn by humans.
Substrate ingests signals from every system your team touches and builds a continuously updated graph of what actually exists — not what someone thinks exists.
Signal sources
The graph is never drawn. It is computed. Engineers stop maintaining stale diagrams and start querying living reality.
Blocked before it ships.
Not discovered in production.
Policies are deterministic Rego rules — not probabilistic AI suggestions. When a PR violates an architectural boundary, it does not merge. No exceptions.
POLICY-004.rego
# POLICY-004: PCI Boundary Enforcement# ADR-023 · Created: 2024-11-15 · Last triggered: 2 hours ago package substrate.policies.pci import future.keywords.if deny[msg] { # Any service in the payment domain input.source.domain == "payment" # Accessing a datastore directly input.target.type == "database" # Without routing through the gateway not input.via_gateway msg := sprintf( "POLICY-004: %v bypasses gateway — PCI boundary violated", [input.source.name] )}
github — pull request review
payment-service → postgres direct connection violates PCI boundary
Every decision has context.
That context survives turnover.
Substrate stores not just what your architecture looks like — but why each rule exists. Incidents, ADRs, and policy reasoning are first-class graph nodes connected by WHY edges.
Causal chain — incident to enforcement
Auth bypass — production incident
Payment service bypassed API gateway, allowing unauthenticated database access for 4 hours.
All payment domain traffic must route through API Gateway
Formalised after POST-042. No service in the payment domain may open a direct connection to any datastore.
PCI Boundary Enforcement — Rego rule
Deterministic enforcement of ADR-023. Evaluates every PR diff against the live graph.
PR blocked — "feat: direct postgres connection"
David Chen's PR was blocked automatically. The reasoning traced back to POST-042 in plain English.
Why does payment-service have to route through the gateway?
In November 2024, an auth bypass incident (POST-042) exposed the payment database to unauthenticated traffic for 4 hours. ADR-023 was drafted the same week, mandating that all payment domain services route through the API gateway without exception. POLICY-004 encodes this as a deterministic rule and has blocked 3 PRs since, including PR #4412 (2 hours ago). The gateway routing requirement is not a preference. It is a compliance boundary enforced by the PCI policy framework.
Built for the era where AI and humans
govern systems together.
The AI is the interface. The graph is the truth. Humans are the policymakers. Each has a role — and none replaces the others.
Query the entire architectural history, policy chain, and dependency graph in natural language. The AI reads the graph; it does not guess.
Policies are written by engineers as Rego code — not inferred by a model. The AI enforces what humans specify, not what it thinks is right.
All inference runs locally via vLLM. No code, no ADRs, no architecture data is sent to any external API. Air-gapped enterprise ready.
When the policy engine blocks a PR, it is not an AI opinion. It is a computed result from a rule against a graph. Reproducible. Auditable. No hallucinations.
What is the blast radius if I remove the auth service?
Removing auth-service affects 6 downstream services. The API Gateway, Order Service, and Payment Service depend on it directly. All 3 would lose token validation. ADR-011 mandates that all services validate JWT via the auth layer. Removing it would violate POLICY-001 and POLICY-004 simultaneously. Simulated drift score: 0.08 → 0.71 (+0.63)
Can I replace it with a sidecar pattern instead?
Yes, conditionally. ADR-011 specifies the auth layer requirement but does not mandate a standalone service. A sidecar pattern is policy-compliant as long as: 1. JWT validation occurs before business logic 2. The JWKS endpoint remains centrally managed 3. The change is recorded as ADR-027 Shall I simulate the graph diff?
Knowledge that survives headcount changes.
The average engineer stays 2.1 years. Every departure erodes the reasoning behind architectural decisions. Substrate makes institutional memory infrastructure.
Ready to make your architecture
computable?
Open-source core. Self-hostable. Air-gapped enterprise available.