-
Notifications
You must be signed in to change notification settings - Fork 0
Introduction
Welcome to NornGate — the gated runtime for AI agent fleets. NornGate is a deterministic, fail-closed runtime that verifies every consequential action before any side effect occurs. Each decision is explicit, auditable, and controlled.
NornGate inserts control before execution. It does not inspect side effects after the fact.
Most agent systems let actions happen immediately: a retrieval hits storage, a message reaches an API, a workflow mutates state. When something fails, teams often lack a clear approval path or audit trail.
NornGate inserts a required five-gate pipeline in front of those actions. Every request must clear all five gates — G0 → G4, in order — before any side effect is committed.
flowchart LR
R(["Agent request"]) --> G0["G0 · Ingress<br/>authN · keys · rate-limit · allowlist"]
G0 --> G1["G1 · Policy<br/>ABAC / RBAC evaluation"]
G1 --> G2["G2 · Approval<br/>human / automated consent"]
G2 --> G3["G3 · Sandbox<br/>isolated dry-run · no side effects"]
G3 --> G4["G4 · Commit / Arbitration<br/>conflict resolution → commit → ledger"]
G4 --> C(["Side effect committed<br/>billable outcome recorded"])
G0 -. deny .-> D["Denied<br/>verdict written to Urd"]
G1 -. deny .-> D
G2 -. deny .-> D
G3 -. deny .-> D
G4 -. conflict .-> D
| Gate | Name | What it checks |
|---|---|---|
| G0 | Ingress | Authenticates the caller; validates API keys; enforces rate limits and network allowlists. |
| G1 | Policy | Evaluates ABAC/RBAC rules against agent identity, resource type, and request context. |
| G2 | Approval | Requires explicit human or automated consent for high-risk actions. |
| G3 | Sandbox | Executes the action in a temporary environment with no permanent side effects. |
| G4 | Commit / Arbitration | Applies deterministic conflict resolution when agents target the same resource, then commits the verified side effect and records the outcome. |
Silence means no. If a gate cannot explicitly approve the action, the action stops. There are no implicit approvals — a timeout or missing decision becomes a denial. See The Five Gates.
- High-risk action with manual approval — a production model update requires a human approval step at G2 before execution continues.
- Policy evaluation with ABAC input — G1 evaluates request context, agent attributes, and resource attributes together, and passes only on a matched rule.
- Arbitration conflict — when two agents try to write the same record, G4 applies a deterministic winner; the loser is denied, not queued into a race.
Example — a request is denied. The audit ledger records the exact reason. A policy denial for a role that may not touch model resources:
GET /v1/audit?gate=policy&decision=deny&from=2026-07-05T11:00:00Z[
{
"id": "audit_7f3",
"gate": "policy",
"decision": "deny",
"reason": "agent.role 'user' cannot access resource type 'model'",
"requestId": "req_abc",
"timestamp": "2026-07-05T11:32:00Z"
}
]End-to-end multi-agent workflow. A three-agent flow that gathers evidence, scores risk, then requests a final action — each stage bound to the realm that matches its trust posture:
-
Midgard (
app.*) handles user-facing intake. -
Alfheim (
alfheim.*) retrieves required context quickly at the edge. -
Jotunheim (
jotun.*) runs untrusted scoring inside the sandbox (G3). -
Asgard (
asgard.*) owns the final protected approval path (G2 → G4).
AI agents can read, write, execute, and decide. That power needs boundaries. NornGate gives teams a reliable control point before execution, so it can:
- enforce policy before side effects
- capture every decision in an audit trail
- isolate risky work before it reaches production systems
It also prevents race conditions, reduces accidental data mutation, and supports regulated workflows. The platform is default-deny: if a gate cannot confirm, it denies.
NornGate uses Norse cosmology as a system model, not just as branding. The names map to concrete controls, trust boundaries, and recovery patterns.
Yggdrasil is the shared control spine. Requests pass through one observable path so traffic can be watched, metered, and refused. In practice:
- consistent routing between trust zones
- a single place to enforce runtime controls
- distributed tracing across the whole request path
The realms map to trust zones — subdomain = trust zone — so your topology becomes your threat model.
| Realm | Subdomain | Trust posture |
|---|---|---|
| Asgard | asgard.* |
Control plane. Highest trust. |
| Vanaheim | vanir.* |
External integrations. Federated trust. |
| Alfheim | alfheim.* |
Edge tier. Low latency. |
| Midgard | app.* |
User-facing services. |
| Jotunheim | jotun.* |
Untrusted execution. Full sandboxing. |
| Muspelheim | muspel.* |
GPU-heavy compute. |
| Niflheim | nifl.* |
Cold storage. High durability. |
| Svartalfheim | forge.* |
Build and artifact systems. |
| Hel | hel.* |
Dead-letter and failed work. |
| Valhalla | valhalla.* |
Completed job archive and baselines. |
On the count. This is ten realms: the nine cosmological worlds of the Eddic sources, plus Valhalla — traditionally Óðinn's hall within Asgard rather than a world of its own, promoted here to a tenth operational realm for completed-job archival. Full detail in The Nine Worlds.
flowchart TB
Y{{"Yggdrasil · control spine<br/>route · meter · refuse · trace"}}
Y --- ASG["Asgard · asgard.*<br/>control plane · highest trust"]
Y --- VAN["Vanaheim · vanir.*<br/>external integrations"]
Y --- ALF["Alfheim · alfheim.*<br/>edge · low latency"]
Y --- MID["Midgard · app.*<br/>user-facing"]
Y --- JOT["Jotunheim · jotun.*<br/>untrusted · full sandbox"]
Y --- MUS["Muspelheim · muspel.*<br/>GPU compute"]
Y --- NIF["Niflheim · nifl.*<br/>cold storage"]
Y --- SVA["Svartalfheim · forge.*<br/>build / artifacts"]
Y --- HEL["Hel · hel.*<br/>dead-letter"]
Y --- VAL["Valhalla · valhalla.*<br/>completed archive"]
- Urd — a centralized, append-only, hash-chained audit ledger; every gate decision lands here.
- Verdandi — live metrics and latency.
- Skuld — forecasting and anomaly detection.
See Monitoring & Observability.
Recovery is tested before it is needed. Typical drill goals: simulate gate failure, storage corruption, and network partition.
$ norngate-cli drill ragnarok --target=prod --duration=15m
[INFO] starting drill target=prod duration=15m
[INFO] injecting policy timeout delay=30s
[INFO] corrupting cold-storage shard=nifl-03 damage=1%
[INFO] isolating midgard -> asgard network path
[INFO] restoring from checkpoint checkpoint_2026-07-05T12:00:00Z
[INFO] verifying hash chain and audit continuity
[INFO] drill complete recovery_time=12m34s data_loss=0
A DR path that has never been exercised is a hypothesis, not a control. See Disaster Recovery (Ragnarök Drill).
| Property | Technical meaning |
|---|---|
| Deterministic | The same input and state produce the same outcome. |
| Fail-closed | Missing approval means denial, not bypass. |
| Auditable | Every gate decision is written to Urd, a centralized append-only ledger secured by a signed hash chain. |
| Framework-agnostic | Agents can run in any language or stack. |
These properties are enforced by the runtime, not left to application code alone.
- AI engineers building multi-agent systems with strict control requirements.
- Platform and security teams operating LLM services at scale.
- Regulated or high-risk environments that need traceable enforcement.
- Teams that need clear answers to what an agent did and who approved it.
- Read Getting Started for setup and access.
- Jump to Quickstart for your first call.
- Explore Norse Cosmology & Platform Design for the architecture model.
- Review Configuration for runtime settings.
Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — not emoji. The full set is on Home; the runes used here:
| Rune | Name | Gloss | Marks |
|---|---|---|---|
| ᚾ | Nauðiz | need, necessity, constraint | the platform mark |
| ᚦ | Thurisaz | thorn, gateway, warding force | what NornGate does / the gates |
| ᛉ | Algiz | protection, defense | why the gated model matters |
| ᛇ | Eihwaz | the yew, the world-tree axis | platform design |
| ᛖ | Ehwaz | horse, conveyance, movement between | Yggdrasil — the spine |
| ᛟ | Othala | enclosed estate, boundary | trust zones |
| ᛈ | Perthro | the lot-cup, fate, the well of Urd | the Norns |
| ᚺ | Hagalaz | hail, disruption, the necessary crisis | Ragnarök |
| ᛜ | Ingwaz | enclosure, completion | key properties |
| ᚹ | Wunjo | kinship, fellowship | who it is for |
| ᚱ | Raidō | the ride, the road | next steps |
Sources. Snorri Sturluson, Prose Edda (Gylfaginning — the Norns, Yggdrasil, Valhalla, Ragnarök) and the Poetic Edda (Völuspá — the Nine Worlds). Rune meanings follow the Elder Futhark tradition.
Welcome
Getting Started
Core Concepts
Guides
- Guides
- Configuring Gates
- Setting Up Subdomains (Realms)
- Integrating AI Agents
- Monitoring & Observability
- Disaster Recovery (Ragnarök Drill)
- Custom Domains & TLS
Reference
Silence means no.