Evaluate Bastion

What you can verify

Bastion is designed to be evaluated against claims, not taken on faith. Each of these is verifiable during an evaluation engagement:

• Policy gate behavior: the /readiness endpoint exposes the active policy hash and load age - you can confirm the policy file on disk matches what the gate is evaluating against. Test structured refusals by submitting directives that violate your policy rules and confirming the PolicyRefusal response includes the correct ruleId and correlationId.
• Offline ledger audit: generate a test run of operator directives, then verify the hash-chain from file using the offline CLI with no live system connection. Confirm Merkle checkpoints, signature validity, and that the policy hash recorded in each entry matches the known policy artifact version.
• HOLD and reintegration: simulate an uplink loss by interrupting the Bastion-to-TheatreManager connection. Confirm the Theatre Manager enters HOLD and does not continue on stale instructions. Restore connectivity and confirm reintegration gates on the IRONLAW reconcile channel before desired-state dispatch resumes.
• LLM egress controls: configure a deny-by-default egress policy with an explicit allowlist of inference endpoints. Confirm that inference calls to unlisted endpoints are blocked at the network layer, not just logged. Test that credential passthrough to an allowed endpoint is explicitly opt-in and does not propagate to other endpoints.

Deployment options for evaluation

• Your VPC: Bastion deploys into your existing cloud infrastructure. We provide runbooks for TheatreManager enrollment, edge integration, and PKCS#11 PKI wiring compatible with SoftHSM2 for initial evaluation.
• Air-gapped environment: core governance operations - IRONLAW policy evaluation, ledger recording, and offline verification - do not require internet access or external dependencies. We work with your network security requirements from the start.
• Hardware security modules: the CA signing backend is pluggable via PKCS#11 RFC 7512 URI, compatible with SoftHSM2 for evaluation and hardware tokens (Nitrokey, YubiKey HSM, network HSMs) in production. Certificate renewal happens at runtime without restarting either process.

What an engagement-based evaluation delivers

• A working Bastion instance in your infrastructure with your PKI and your IRONLAW policy files
• IRONLAW doctrine artifacts - the full governance rules, policy schema, and machine-readable examples - for your legal and compliance team to review
• Evidence pack tooling and runbooks so you can run the offline ledger audit independently
• Direct access to the team that built the platform - not a solutions engineer reading from a demo script

How to start

Reach out to [email protected] or book a discovery call below. We start with a conversation about your regulatory environment, existing architecture, and what governed agent operations look like in your context - then scope the evaluation to what your team needs to make a real decision.