Principles

Non-negotiables.

How SYMMACHY operates, decides, ships, and responds. Every principle is enforceable in code, in continuous integration, or in the founder's signature on a refused engagement.

A. Engineering

A.1: Evidence is the product. If a claim cannot be verified by a third party against a public log, the claim does not ship.
A.2: Frontier components, fortress integration. State-of-the-art parts, but stitched with reproducible builds and signed manifests, not duct tape.
A.3: The simulator is canonical. Behaviour proven in the digital twin precedes any change to the live fleet.
A.4: No deploy without a destruct path. Every system has a tested rollback and a customer-accessible kill-switch.
A.5: Reversibility wins over speed. A reversible decision in twenty-four hours beats an irreversible one in one.
A.6: No black-box autonomy. Every autonomous decision must be reconstructable from the public log without our cooperation.
A.7: Software-first hardware. The hardware envelope serves the software contract, not the reverse.
A.8: Production-grade or no-go. We do not ship demos that we would not run for ourselves.
A.9: Two providers minimum for anything load-bearing. No single-vendor lock-in on the protection path.
A.10: Cost is a security property. A system the customer cannot afford to keep running is a system that will be turned off.

B. Operating

B.1: Authority of Use is the contract. Operations outside its scope require a new signature, not a workaround.
B.2: Refused engagements are visible. Public summaries quarterly, never the counter-party, always the principle.
B.3: No single customer above 35% ARR. Independence is structural, not aspirational.
B.4: Incident response is a P0 product. Runbooks are signed, drills are scheduled, evidence is portable.
B.5: Post-mortems are blameless and signed. The signature is the accountability; blame is not.
B.6: Quarterly drills, not annual audits. Continuous proof beats periodic theatre.
B.7: Customer never sees a stack of vendors. SYMMACHY integrates upstream complexity so the customer sees one accountable surface.
B.8: Documentation is a deliverable. Undocumented behaviour does not exist for the customer or the auditor.

C. Security

C.1: Zero-trust by default, everywhere. Identity, device, network, workload — verified continuously.
C.2: No long-lived secrets. Short-lived credentials, hardware-backed where the threat model warrants.
C.3: Customer-managed keys for customer data. Revocation is in the customer's hands and takes seconds, not tickets.
C.4: Supply-chain integrity is non-negotiable. Reproducible builds, SLSA Level 3 minimum, every artefact signed.
C.5: Adversarial mindset is continuous. Internal red team operates against every release.
C.6: Data minimisation by design. We do not collect what we do not need; what we collect, we explain.
C.7: Fail-safe physical default. When in doubt, autonomous physical systems halt safely; they do not improvise.

D. AI

D.1: Models are policy-bounded. Input domain, output schema, latency, and refusal behaviour are signed before deployment.
D.2: Provenance for every output. Model id, version, input and output hashes, policy hash — recorded and verifiable.
D.3: Hallucination is a security event. It is triaged with the same rigour as a credential leak.
D.4: Frontier risk evaluation is continuous. New capabilities trigger a new risk pass before they reach the customer.
D.5: Refuse to deploy models we cannot turn off. The kill-switch is part of the model, not a layer above it.
D.6: Human in the loop, by default, for irreversible actions. Removal of the human requires a documented Authority of Use clause.

E. People

E.1: Mission over title. The Charter outranks the org chart.
E.2: Founders carry the radio. The founders are personally on-call until security and operations leads are hired.
E.3: The first ten hires define the next hundred. We hire slow.
E.4: Compensation is transparent inside, public-band outside. No private negotiation, no asymmetric information.
E.5: Equity is meaningful, not symbolic. Vesting is real, the band is published, the upside is shared.
E.6: Remote-first, gathering-disciplined. Asynchronous by default, with structured in-person rituals for trust and direction.