The memory and execution layer for operational AI systems.
We don't build models. We build the two planes that make them operationally useful: a memory plane that restores exactly the right context, and an execution plane that governs every action.
Memory plane — The Rehydration Kernel holds a knowledge graph of decisions, incidents, evidence, and operational history. It exposes an API-first gRPC boundary for deterministic memory ingest, retrieval, temporal traversal, trace, and inspect. Memory is scoped by abouts and dimensions, so the same incident can be navigated through agent, session, timeline, evidence, or cross-incident views without prompt-only reconstruction. Typed explanatory relationships preserve why each piece of context exists. Each resolved incident becomes legitimate context for the next — the kernel accumulates institutional knowledge the way a senior engineer accumulates experience.
Execution plane — The Underpass Runtime provides isolated workspaces with 123 governed tools across 30 families. Every invocation is policy-checked, telemetry-recorded, and feeds a learning loop. A 4-tier recommendation engine (heuristic → Thompson Sampling → Neural Thompson Sampling) learns which tools work best for each context.
Together they form infrastructure, not an application. Any domain that needs institutional memory plus governed action can be built on top.
Underpass is deployed alongside a client's existing infrastructure. The client's systems (observability, CI/CD, ERPs, operational platforms) produce domain events following an AsyncAPI contract. Underpass agents consume these events, investigate real systems, and act through governed workflows.
Client infrastructure produces domain event (alert, deviation, deadline)
→ Specialist agent investigates the real system (code, metrics, data)
→ Kernel restores scoped historical context and navigable timelines
→ Agent acts via governed runtime tools (patch, test, deploy, report)
→ Evidence recorded → Policies improve → Kernel enriched
→ Next similar event: faster, more confident resolution
Each agent is a specialist with a defined purpose, autonomy boundary, and success criteria. Local models (Qwen 9B) handle routine work. Frontier models (Claude) only appear where reasoning quality justifies cost.
Kernel + Runtime are domain-agnostic. Any workflow that requires agents acting on real systems with institutional memory and auditable execution:
Software engineering
- Production incident resolution — alert to deployment to recovery confirmation
- Security vulnerability remediation — CVE triage across services
- Codebase migration — framework upgrades with accumulated patterns
- Infrastructure drift detection and correction
Beyond software
- Supply chain disruption response — sourcing, logistics, negotiation
- Clinical trial protocol deviations — classification, CAPA, regulatory filing
- Financial regulatory reporting — extraction, reconciliation, submission
- Legal contract analysis — risk scoring, precedent search, redlining
- Manufacturing quality control — sensor correlation, containment, 8D reports
- Insurance claims processing — verification, fraud detection, adjudication
- Energy grid anomaly response — real-time load balancing, protection
- Talent acquisition optimization — bottleneck analysis, process intervention
The common pattern: domain event triggers specialist agents → kernel provides institutional memory → runtime governs execution → each resolution enriches the next.
| Component | Ownership | Examples |
|---|---|---|
| Kernel + Runtime | Underpass | Memory graph, governed tools, agent fleet |
| AsyncAPI contract | Underpass (spec) | Event schema the client must conform to |
| Integration adapter | Client (implementation) | Alert relay, CI/CD hooks, ERP connectors |
| Application services | Client | payments-api, order-svc, etc. |
| Observability | Client | Prometheus, Grafana, PagerDuty, Datadog |
| CI/CD | Client | GitHub Actions, Jenkins, ArgoCD |
| Plane | Repository | Language | What it provides |
|---|---|---|---|
| Execution | underpass-runtime |
Go | 123 governed tools, K8s workspaces, adaptive recommendations (Heuristic → Thompson → NeuralTS), tool.suggest, policy.check, mTLS, 17 E2E tests |
| Memory | rehydration-kernel |
Rust | API-first KernelMemoryService gRPC surface, deterministic context retrieval, multidimensional memory, temporal traversal, trace/inspect, evidence-backed Ask, MCP live adapter, Helm and public-ingress E2E coverage |
- Security: TLS 1.3 on all transports, policy engine with RBAC, CodeQL + SonarCloud
- Testing: 80% coverage gates, live Kubernetes E2E tests, Helm tests, fail-fast contracts, no fallbacks
- CI/CD: Automated image builds on merge, all images share Chart.appVersion
- Observability: Domain quality metrics, OTel tracing, structured gRPC request/response logging
The kernel's value grows with every resolved incident. The first resolution is slow — agents investigate from first principles. The tenth is fast and confident — the kernel has real context from nine previous investigations. Switching away from Underpass means losing accumulated institutional knowledge. This is the moat.
Autonomous incident resolution and replayable operational memory — applying Runtime + Kernel to systems where specialist agents autonomously detect, investigate, and resolve production incidents. Event-driven orchestration, governed execution, and institutional memory from past resolutions are exposed as a navigable process: what happened, what each agent knew, where the path forked, what evidence mattered, and why the final resolution worked.
Core infrastructure is deployed and validated on live Kubernetes clusters with full mTLS. The production incident demo runs end-to-end: real Grafana alert fires → agents investigate real code → agents deploy fix through real CI/CD → service recovers → alert resolves.
The Rehydration Kernel now includes a typed KernelMemoryService gRPC API for memory ingest, deterministic Wake/Ask, temporal navigation (Goto, Near, Rewind, Forward), graph path tracing, and node inspection. Memory dimensions are namespaced by about, scoped explicitly, and can intentionally traverse multiple abouts when requested. The MCP integration consumes the same public API instead of private adapter paths.
Underpass AI is a project created by Tirso Garcia Ibañez.
Public repositories are released under Apache-2.0. Where present, LICENSE and NOTICE files define redistribution and attribution requirements.
Created by Tirso Garcia Ibañez · LinkedIn
