This is the screen a store manager, facilities lead, or security supervisor sees. They ask in plain language through whatever channel fits the moment. The answer comes back with the data, the footage or sensor history, and an action they can take on the spot.
Channel — how this question reaches the brain
Operator console
Try one:
Answer tier 0 · local
Pick a question on the left. The answer renders here — data, media, and an action button.
Predictive — things the system surfaces before you ask
The seven layers · two planes · one signed link
How a question moves through the system
Click Run a query to watch one question travel the stack: in through a source, up through inference and events, answered at the top, with an action sent back down. Click any layer for what it does and what has to be built.
Data plane — runs fully on the appliance, no cloud required
▲ signed · async · validated link ▲
Control plane YYZdata cloud · or single-tenant
model registry · policy distribution · OTA orchestration · fleet health · billing · license
Layer detail
Click a layer to inspect it.
The one property everything rests on
Data plane is self-sufficient
Cut the link to the cloud and the box keeps detecting, alerting, storing, and answering local queries. The control plane makes the fleet manageable; it is never required for a site to do its job.
Providers & hardware abstracted
Code calls an interface, never a specific model or chip. Swap a model, swap an accelerator, add a sensor type — all configuration, not a rebuild. This is why a small team can hold it.
Everything signed
Models, policies, adapters, actions, UI — every artifact crossing to the box is signed and validated against a key set at install. The box trusts nothing else. This is the backbone of updates and security.
Drop-in setup · the system tells the customer what they need
From box on the dock to running, in four moves
No sizing compute, no picking models, no writing rules. The appliance finds what is on the network, the customer says what they do, the system proposes a working configuration, and they accept or tune. Step through it.
What the installer (you) physically does
Rack or shelf the appliance and give it power and a network path to the cameras and sensor systems. One box per site for Lite and Standard; Enterprise may pair two for redundancy.
Provision the trust key at install — the public key the box uses to validate every artifact the control plane later sends. This is the one security-critical manual step.
Grant read access to the VMS or NVR, the BACnet network, and the MQTT broker. Read-only to start; write access (for HVAC or signage actions) is enabled later by policy once the customer signs off.
Run guided setup (the four moves above). Discovery does the finding; you confirm the zone mapping on the floor plan, since only a human knows that "Camera 7" is "the loading dock."
Hand over the operator app and channels. Walk the customer through asking their first real question. They are live.
Typical first install runs a half to a full day for a Standard site, most of it spent confirming zone mappings and access, not on software. Lite self-install is the target for v1.5 once discovery is hardened.
Three change types · one signed pipeline · automatic rollback
Updating and managing the fleet
A threshold tweak, a new model, a security patch, a regulatory rule — all ship the same way: signed by the control plane, validated by the box, canaried on a slice, staged out, rolled back automatically if health drops. Run the pipeline below.
What are we shipping?
Over-the-air pipeline
Fleet health — what you watch day to day
The policy change you'll get asked about
A new state biometric-privacy law takes effect. Here is the entire engineering effort to comply:
Author a compliance bundle (constrains what models may compute + store)
Control plane reviews, signs it
Canary to affected sites in that state
Each box validates signature, hot-reloads — no restart
Every event from now records the new policy version
Stage out to all sites in the state; fleet view confirms coverage
No code changed. No site redeployed. Auditable to the per-event policy version. This is the claim worth making your engineer try to break.
What engineering actually has to do
The build, by layer and by release
Effort is sized in engineer-weeks as a planning estimate, not a quote. It assumes a small team building against the abstractions, reusing open-source where the architecture allows. Toggle a release to filter. Numbers are placeholders for your engineer to challenge.
Total scope shown
0eng-weeks
At a 3-engineer team
0calendar weeks
Calendar assumes parallelism across the three engineers and ~20% overhead for integration and review. A realistic v1 is roughly a quarter to two for a focused team.
Roles you need to staff this
ML / CV engineer
Owns layers 2–3: the hardware abstraction backends, model conversion and quantization, the vision and sensor model set, and the provider adapters. The hardest hire and the most load-bearing.
Platform / backend engineer
Owns layers 1, 4, 5, 6 and the control plane: ingest adapters, the event store and schema, the policy engine, the action modules, and the signed OTA pipeline.
Product / full-stack engineer
Owns layer 7 and the experience: the query layer and LLM router, the operator app and channels, and the guided install wizard. The face of the product.
The three roles map cleanly to Amrit, Akash, and one hire. The provider abstraction is what keeps this a three-person build instead of a ten-person one — if that interface leaks, the with-partner and without-partner paths become two codebases and the team triples.
Interactive. Change a number and the model recalculates. Capital figures are clearly-marked placeholders pending your A20 / partner BOM. Electricity uses the Dominion Energy Virginia rate you validated (11.28¢/kWh). Nothing here is a price quote.
⚠ Placeholder figures. The appliance capital costs below are estimates to make the model run, not sourced BOM numbers. Replace with real partner quotes before this informs a price or a margin claim.
Appliance tier
Assumptions — drag or type
Per-site economics
Query cost by routing tier — why "ask anything" doesn't blow the budget
Monthly query cost at this mix
Tier 0 runs on the box you already paid for — its marginal cost per query is effectively zero. The whole router design exists to keep most queries on tier 0 and only escalate the few that need it. That is the difference between a healthy gross margin and paying a per-query API bill on every operator question.
Three honest open questions on cost
Real BOM
Every capital number here is a placeholder. The A20 / partner BOM decides whether the appliance margin is healthy or thin. This is the single biggest unknown.
Tier-1 GPU load
The self-hosted 70B tier and the predictive layer run on our GPUs. At fleet scale that is a real fixed cost that has to be spread across enough sites to stay cheap per query.
Support load
Not modeled here. A fleet of edge boxes in the field carries a human support cost that grows with site count and has to be priced into the subscription.