killinchu · Drones & Vessels

SZL Holdings · Governed Counter-UAS & Maritime C2

Counter-UAS that proves every decision.

killinchu is a governed counter-UAS and maritime command-and-control layer. Every engagement passes a Lean-checked rules-of-engagement gate, is agreed by a Byzantine-fault-tolerant witness quorum, and ships a signed engagement receipt you can verify offline. Human on the loop; effector action is SIMULATED.

UTC ————-——-—— ——:——:——Z DOCTRINE v11 LOCKED LIVE

What it is

One field tool for air and sea.

killinchu is the hands-on console an operator uses in the field. It watches live tracks, fuses what the sensors see into one picture, applies the rules of engagement under human authority, and screens vessels at sea — and it writes a signed, checkable record of every decision.

AIR · 01

Live track board

Real-time drone tracks with classification, severity, and telemetry — sorted hostile-first so the operator sees the threat that matters now.

FUSION · 02

Sensor fusion

Radar, RF, and optical inputs are reconciled into a single confident track instead of three noisy ones the operator has to merge by hand.

RULES · 03

Engagement rules

Rules of engagement and geofences are enforced before any action. Defensive by doctrine — every engagement requires a human on the loop.

SEA · 04

Maritime screening

Sanctions and dark-vessel checks for ships that go quiet. Runs on sample / replay AIS data today — a demonstration, not a live feed.

Honest by design: much of what you see is a demonstration on sample / replay data, and the effector is SIMULATED — killinchu governs and records the decision; it does not fire anything. What is genuinely real is labeled , and every receipt signature is real.


The differentiator

Three gates on every engagement — and a receipt to prove it.

Anyone can put a track on a screen. killinchu is different because no engagement decision leaves the system until it clears three independent checks, and the whole chain is sealed into one signed artifact a buyer can verify without trusting us.

GATE · 01

Lean-checked ROE gate

Rules of engagement and geofence containment are enforced by a deny-by-default gate whose safety properties are machine-checked in the Lean theorem prover. Not a config file you can quietly loosen — a proven gate.

GATE · 02

BFT witness quorum

A 3-of-4 Byzantine-fault-tolerant quorum of independent witnesses (Policy / Reasoning / a11oy / Killinchu) must agree before an engagement is admitted. One faulty or compromised node cannot force an action.

GATE · 03

Signed engagement receipt

The decision, its inputs, the gate result and the quorum are sealed into a DSSE envelope signed with a real ECDSA P-256 key and chained into a tamper-evident ledger. Verify it offline — no SZL service required.


Part of the SZL governed substrate

The field tool. The substrate decides how it's allowed to act.

killinchu is one surface of the SZL governed substrate — it runs the same governance brain as the a11oy Command Platform: the same Trust Score gate, the same signed receipts, the same Lean-checked doctrine. The substrate sets the policy; killinchu carries it into the field. A decision made at a forward site verifies against the exact same key and rules as the headquarters console.

TRUST SCORE Research conjecture
0.——— floor 0.90

A single trust number aggregated across 13 honesty axes (soundness, calibration, provenance, attestation, auditability…). It must clear the floor before any engagement is permitted.

SIGNED RECEIPT ————————

Live proof from this Space

Real numbers, pulled live — honest if it's slow.

These tiles read killinchu's own endpoints on this Space right now. If an endpoint is slow or unreachable, the tile says so rather than faking a number.

Drones tracked —— /threats/active · total_tracks
Active threats —— /threats/active · active_threats
Drone fingerprints —— /drones/database · count
Trust score —— /lambda · 13-axis aggregate

Reading live endpoints…


Verify it yourself

Don't trust us. Check the signature.

Every decision is sealed with a real ECDSA P-256 signature over a signed envelope, using the same cosign keypair the signer holds. The public half is published on this Space. You can verify a receipt offline — no SZL service required.

keyid szlholdings-cosign
ledger root ————————
OFFLINE VERIFY — 3 STEPS
# 1 · get the public key (published on this Space)
curl -s /cosign.pub -o cosign.pub

# 2 · export a real signed receipt
curl -s /api/killinchu/v1/receipt/export \
  -o receipt.json

# 3 · verify the signature — no SZL service needed
cosign verify-blob --key cosign.pub \
  --signature sig.b64 payload.bin

# ✓ ECDSA-P256-SHA256 over a signed envelope
#   keyid: szlholdings-cosign

The trust score is a research conjecture, not a closed proof — and we label it that way. The signature, though, is real: this is the showcase.


What's proven, and what isn't

These five proven properties. One honest conjecture.

We're plain about the line between proved mathematics and active research. The org keeps eight locked-proven formulas in Lean (kernel c7c0ba17); the five below are the ones this product surfaces. The trust score (Λ) is Conjecture 1, never a theorem. Build provenance is SLSA L1 (honest), with SLSA L2 attested on the signed container images.

01
Geofence containment
A track inside a no-fly polygon is detected deterministically.
Proven
02
Hash-chain integrity
The receipt ledger is a tamper-evident SHA3-256 chain.
Proven
03
Quorum agreement
A 3-of-4 quorum tolerates one faulty node without losing safety.
Proven
04
Signature soundness
A receipt that verifies could only have been signed by the keyholder.
Proven
05
Monotone gating
Lowering any honesty axis can never raise the overall trust score.
Proven
06
Trust-score uniqueness
That the 13-axis aggregator is the unique valid one — an open research conjecture, not yet proven.
Conjecture

Surfaces

Two front doors, one governed system.