The KWAM architecture
KWAM keeps a fleet's application Python and data alive across AI-accelerator fleets, engineered to 10k–100k node scale. Five layers — a declarative language, a deterministic codec runtime, an NMS/HUD server, a consent-gated client, and an embeddable SDK — are bound by a transport, an identity model, and the JHMM reconstruction orchestrator. The contract underneath them all: no silently-corrupted bits.
Each layer does one job, with a guarantee it can defend. Deterministic codecs produce every byte; the model is advisory only.
| Layer | What it does | Guarantee |
|---|---|---|
| Language (DSL) built | Declarative config that co-specifies discovery, replication, the SLA guard, authorized deploy, RBAC, and metrics: the language runtime (lexer→parser→interpreter). | One file specifies the whole resilience policy; nothing is implied off-document. |
| Codec runtime built | Deterministic Reed–Solomon / LRC / fountain codecs, durability math, and the healer: the codec runtime. | Produces every byte; each fragment is SHA-256 gated. No silently-corrupted bits. |
| NMS + HUD server built | Observability, fleet topology, durability SLA, and live metrics: the server. | Telemetry is labeled simulated:true, source:MODELED; only RS fragments are real_bytes:true. |
| Client (kwamd) built | Per-node micro-service: CAS chunk store, compile cache, hot-swap shim, SWIM membership, P2P serve, DCGM/NVML health telemetry, plus a local ollama model and an adversarial red-team self-check. This is the client. | A read-only responder on a dedicated mTLS port; never self-mints consent. |
| Embeddable SDK built | from kwam import protect, recover: erasure-code bytes into signed, content-addressed fragments and rebuild them fail-closed. | Any k of n fragments rebuild the exact original, or recovery raises. |
Built & shipping The language, codecs, discovery, heal, SDK, and HUD are built and in production. Production kwamd on real QUIC/mTLS at fleet scale is production-tested and live with the KWAM server, and is ready to scale in H100 datacenters today. The one thing we still model is the HUD's public demo fleet, which is simulated and labeled as such; we label which is which everywhere rather than blur the line.
LIVE vs MODELED: a first-class design principle Labeling is not an afterthought; it is a contract the whole stack honours. Real clients, real bytes, real round-trips, and real hardware reads are surfaced as LIVE; modeled scale and any fleet beyond what is actually connected stay MODELED; and anything KWAM cannot read is reported as unavailable rather than guessed. The boundary travels with every record.
The DSL co-specifies discovery, replication, the SLA guard, authorized deploy, RBAC, and metrics. The control plane gives that policy a canonical vocabulary.
A declarative configuration language: the language runtime runs lexer→parser→interpreter. One file names what to protect, how to replicate it, and what the SLA guard must hold. Read the language reference →
The canonical vocabulary shared across the stack: ports, capabilities, sandbox tiers, and the consent shape. Every layer speaks the same nouns, so a policy means the same thing end to end.
Bounded and read-only by design: a capped candidate set, HTTP GET only. It maps what is reachable; it is never a scanner.
QUIC + TLS 1.3 is the primary path; mTLS is the fallback. Every deploy and replica node proves who it is in hardware.
QUIC + TLS 1.3 carries KWAM MPLS-style label-switched frames: a CBOR payload with Ed25519 frame signatures, roughly 7 hops at fanout 8. Where QUIC cannot run, gRPC-over-mTLS is the fallback.
Every node carries a SPIFFE/SVID:
spiffe://<trust-domain>/<tenant>/<cluster>/<az>/<pod>/<node>/<workload>
Hardware-rooted attestation is required for any node that deploys code or holds a replica.
KWAM recognizes a curated set of vendor-verified accelerator and CPU families. For anything it does not recognize, it preserves the raw vendor string as reported rather than guessing a family. An unknown part is carried honestly, never relabeled into a match.
Where the layers listen
The layers communicate over a small set of mTLS-gated control, data, and metrics ports. The client exposes a read-only responder on a dedicated mTLS port and never self-mints consent.
Data plane: GET /chunk/{cid}, where cid = sha256:<64hex>.
The John Harris Milling Machine plans and drives recovery. It never produces a data byte; deterministic RS codecs do, content-verified and SHA-gated.
When a fault domain drops, the JHMM walks a fixed loop: detect → isolate → plan → drive codec → SHA-gate. It decides what to rebuild and from which surviving fragments, then hands the actual reconstruction to the deterministic codec and verifies the result against the object's content hash.
It is advisory: it orchestrates the recovery, it never mints the bytes. That separation is deliberate: it keeps the byte-producing path deterministic and content-verified, with no model in the data lane.
A living tribute
Named for Joe Harris's grandfather John — "Papa John" — and his 1987 milling plant. The name is honoured in full: a machine that measures, plans, and rebuilds to spec. It orchestrates; it does not improvise the part.
Raft holds only the small, must-agree state. Per-bit placement is gossip; it does not need a quorum to be correct.
Only low-cardinality state that must agree: the auth / spent-token set, trust roots, channel→cid pointers, and rollout sequencing. Small enough to keep cheap; critical enough to keep consistent.
The per-bit placement census, which fragment lives where, is an eventually-consistent replica census. It heals toward truth without bottlenecking on consensus.
Why split it Putting per-bit placement in raft would make the consensus log enormous and slow. Putting trust roots in gossip would make forgery a race. KWAM splits state by what each piece actually needs: agreement, or convergence.
From the DSL down to the SHA-gated fragment, KWAM is one honest contract. Tell us about your fleet and we'll scope a deployment.
KWAM is our intellectual property, grounded in Swiss law.
KWAM — its source code, the KWAM language, the JHMM reconstruction orchestrator, the deterministic codec runtime, and all associated AI components — is a proprietary computer program and the sole and exclusive intellectual property of KWAM.CH. As a computer program it is a protected work under the Swiss Federal Act on Copyright and Related Rights (Copyright Act, CopA), and the exclusive rights of use vest in KWAM as employer; it is further protected as a trade secret under the Swiss Federal Act Against Unfair Competition (UCA). KWAM is offered by private licence only. All rights reserved.
CopA (SR 231.1) Art. 2 para. 3 & Art. 17 · UCA (SR 241) Art. 6 · Governed by the laws of Switzerland · Place of jurisdiction: Zürich