← All products
Security & Governance

Parinita Crucible

Sovereign AI Network OS — per-packet identity enforced at the NIC, below the OS.

Crucible sits above Opera (Instrument/Maestro/Orchestra) and below Conduit and Corridor in the Parinita stack. It's the control plane for identity, policy, and routing — encoding Orchestra's workload-placement decisions as cryptographic identity in every packet, and validating that identity at the ConnectX-7 NIC via eBPF/XDP before the kernel ever sees it.

Talk to us See the platform
Capabilities

What it does

  • Identity in every packet

    Format tenant.plane.pop.workload-uuid.service-class. Packets without a valid Ed25519/JWT token signed by an Instrument-managed FIPS HSM key are dropped at the NIC before the kernel runs an instruction.

  • Sub-second revocation

    Identity revocation propagates to all 101 POPs via NATS JetStream within one second. No more "we'll patch the firewall by next Tuesday."

  • Zero-trust inside every POP

    WireGuard/UDP tunnels pre-positioned across every required path — intra-plane, inter-plane, inter-POP — with ChaCha20-Poly1305 in software AVX-512 plus IPsec/AES-GCM hardware offload at line rate.

  • Two consistency tiers

    Strong consistency with synchronous Chrysalis ack (blocking) for ITAR/HIPAA/Financial. Eventual consistency for standard workloads. Pick by data classification, not by code path.

  • Sovereign egress below the OS

    An XDP program intercepts packets attempting to leave the sovereign fabric and reroutes them through approved private circuits — never via the public internet for regulated workloads.

How it works

Crucible’s identity format encodes everything needed for routing and policy in the packet header itself: tenant.plane.pop.workload-uuid.service-class. Identity admission is enforced by the ConnectX-7 ASIC running an eBPF/XDP program — a packet without a valid Ed25519/JWT token signed by an Instrument-managed FIPS HSM key is dropped at the NIC before the kernel runs a single instruction. Identity revocation propagates to all 101 POPs via NATS JetStream within one second.

WireGuard/UDP tunnels are pre-positioned across every required path (intra-plane, inter-plane, inter-POP), with ChaCha20-Poly1305 in software (AVX-512 optimized on x86) and IPsec/AES-GCM wrapping the WireGuard payload via ConnectX-7 hardware offload at line rate — zero-trust posture even within a single POP. The CRDT routing table on Plane 8 supports two consistency tiers: strong (with synchronous Chrysalis acknowledgment, blocking until confirmed) for ITAR/HIPAA/Financial, and eventual for standard workloads.

Crucible vs Corridor

These two are easy to confuse. Crucible owns identity, tunnel keys, eBPF/XDP enforcement, the CRDT routing table, sovereign egress, DNS, and per-flow heartbeats. Corridor owns the WAN path arbitration and dynamic carrier failover above that. Crucible decides what’s allowed; Corridor decides how it moves.

What it isn’t

A firewall or SDN controller in the traditional sense. Crucible enforces workload identity at the NIC; the rest of the network reads what it publishes. If you’re not assigning identity to every workload, you’re not using Crucible.

More from the fabric

Related products

Part of the Parinita AI Edge

Bring Parinita Crucible into your stack.

Every Parinita product runs on the same 9-plane fabric across 101 edge POPs. Talk to us about a pilot, or see how the pieces fit together.

Talk to us See the infrastructure