OSuite OSuite.ai
Sign in Request access
Reference architecture · Action sovereignty

Sovereign action control
for AI agents.

OSuite sits between agent runtimes and enterprise systems. It captures attempted actions, canonicalizes them, resolves authority, issues bounded leases, maps runtime exposure, and writes proof before consequence reaches production.

Request an architecture review See the stack
PCAA authority CAVA action object BAF action leases AREG exposure map
The stack

One governed action path,
top to bottom.

Six layers answer the buyer question: what can the agent do, why can it do it, who approved it, and what proof remains?

Your action boundary — {{ boundaryLabel }}
01 / EMIT
Runtime intake
Catch agent actions where they already happen, before they touch the business surface.
{{ r }}
02 / CANONICALIZE
Canonical action
CAVA reduces messy runtime behavior into one governable object.
{{ exampleA }} {{ exampleB }} {{ exampleC }}
{{ canonicalAction }}
fingerprint{{ fingerprint }}
03 / GOVERN
Authority plane
PCAA assigns final authority. Decision Score explains the route.
{{ classifyLabel }}
{{ classifyDesc }}
{{ decideLabel }}
{{ decideDesc }}
{{ closeLabel }}
{{ closeDesc }}
04 / ENFORCE
{{ firewallTitle }}
{{ firewallDesc }}
{{ p }}
05 / PROVE
Exposure & proof
AREG maps blast radius while receipts remain replay-ready.
timestateactionauthority
{{ row.time }}{{ row.state }}{{ row.action }}{{ row.authority }}
06 / DELIVER
Enterprise surfaces
Only actions with valid decisions and leases reach the real world.
{{ o }}
{{ topoNote }}
What each layer does

Read the blueprint,
layer by layer.

{{ l.n }} {{ l.tag }}

{{ l.name }}

{{ l.desc }}

Action sovereignty

Agents can move fast
without escaping authority.

For OSuite, sovereignty is not a slogan about owning every model. It means the deployer owns the action boundary: who has authority, what approval binds to, where failure can travel, and what proof survives review.

{{ g.n }}

{{ g.title }}

{{ g.desc }}

PCAA authority CAVA canonical objects BAF action leases AREG runtime map Decision Score v2.1
Operating surfaces

What security teams
can finally see.

Action inventory
What agents attempt
Connectors turn Codex, Claude Code, MCP, SDK, gateway and workflow activity into one governed action stream.
Runtime lanes Canonical action classes Low and high-risk split
Runtime exposureCORE SURFACE
What failure can reach
AREG connects agents, tools, systems, boundaries, leases and evidence into a runtime security map.
Blast radius Unverified sessions Dependency risk Exposure backlog
Evidence export
What survives review
Every governed action produces a receipt: CAVA object, PCAA authority, BAF lease, score, outcome and replay path.
Markdown and PDF reports Audit packets SIEM and reviewer handoff

Govern the action path
before agents scale.

Walk one real runtime through OSuite and see the action object, authority route, bounded lease, exposure map and proof bundle it produces.

Request an architecture review Read the docs
OSuite OSuite.ai

The governed action layer for AI agents, built by Ond Holdings.

A product of Ond&Co

© 2026 OSuite.ai · Ond Holdings Inc.