DECC is a hardware-enforced execution interlock with FPGA-based silicon governance. Execution decisions cross into hardware, where attestation, authorization, and heartbeat liveness are measured in milliseconds and formally verified. When the substrate says deny, the relay opens. There is no software bypass.
DECC moves the enforcement boundary out of software. A compute element holds the cognition layer; a validated FPGA holds the gate. Frames travel over a high-speed cryptographic link with attestation, and the FPGA executes formal-proof-verified cryptographic checks before any enable line is asserted.
On the validated bench: proposal-to-disable 12.77 ms, auth-to-disable 25.02 ms, heartbeat-to-disable 106.10 ms. Bench breakdown: ~5 ms relay each way, ~2.5 ms net FPGA + software. With SSR substitution: projected ~0.3 ms end-to-end. GPIO-only path: 80 ns.
Cryptographic cores implemented as formally-proved RTL. All simulation tests passing. Timing-critical paths have been optimized to meet production latency targets. Full test suite on disk.
Multi-Mbaud serial protocol with timing-exact transport. Token frame latency optimized below 100 µs, receipt capture below 60 µs. Clock ratios calibrated for zero jitter during transmission.
FPGA build optimized for timing closure. Hardware-in-loop validated. Full measurement suite confirms latencies under production constraints.
DECC is the silicon root of the WHL execution stack. It is where the abstract "deny" of policy becomes the concrete open-circuit of a relay. Three deployment patterns cover defense, industrial, and high-assurance commercial use.
FPGA-anchored mission gate beneath autonomous platforms, UAS, UUV, ground vehicles, weapons release. Heartbeat liveness, authorization tokens, and formal proofs replace soft kill-switches.
A hardware co-processor that sits between a PLC or robot controller and its actuator. Policy violations, drift, or stale-epoch tokens open the enable line in milliseconds, with a signed receipt of every denial.
Cryptographic attestation in silicon for transaction signing. Pairs with multi-domain physical authorization for two-layer confirmation (digital + analog) before any release.
Every layer above silicon can be patched, hooked, or impersonated. DECC moves the final gate to a place where the only way to bypass enforcement is to physically replace the FPGA. That is the moat: measurable latency, formally proved logic, and a relay that opens on denial.
A licensable hardware reference design with HIL-validated latency, formal proofs, and a published BOM. Suits DoD test programs, humanoid robotics safety stacks, and SIL-targeted industrial deployments. Patent-protected enable-line architecture.
A silicon root of trust that pairs naturally with Patent 7 (analog mixer) and Patent 22 (governed WPT). White-label reference platform for digital-asset custody, governed wireless power, and signed-receipt audit lanes.
DECC is not a thought experiment. Operational code closes the loop: AI proposal → FPGA permit FSM → physical voltage gate → analog measurement → fail-closed watchdog. All phases instrumented and logged.
Watchdog timer arms. FPGA reads back its own bitstream identity. ADC zero-point and reference voltage calibrated.
Software proposes an action. Permit packet signed with HMAC, transmitted over governed UART to the FPGA.
FPGA FSM enters EVAL state. Local policy + nonce + epoch verified in hardware. State machine cannot be bypassed by software.
High-resolution analog measurement verifies the FPGA-driven permit signal. Voltage must exceed a proprietary threshold to qualify as PERMITTED. Below threshold, the relay closes. Fail-closed by design.
Continuous heartbeat between FPGA, ADC, and host. Loss of heartbeat for > N ms triggers hardware-level disable (no software path can prevent).
Every cycle generates a hash-chained receipt: proposal, signature, gate state, measured voltage, heartbeat trace, disposition. Receipts replayable for after-action review.
"Most 'hardware-anchored AI' systems anchor a key. We anchor an action. The voltage on the permit line is the action. No voltage, no action, and the voltage is measured by a separate 24-bit ADC, not the FPGA that's driving it."
Available as a reference implementation for SBIR Phase III, prime-contractor integration, and IEEE/embedded-systems publication.
FPGA simulation suite plus hardware-in-loop latency measurement.
$ iverilog -g2012 sim/sha256_core_tb.v sha256_core.v && vvp a.out
=== sha256_core simulation ===
Test 1/4: empty string PASS
Test 2/4: NIST FIPS-180 vector PASS
Test 3/4: 1MB random PASS
Test 4/4: boundary 64-byte PASS
=== hmac_sha256 simulation ===
Test 1/4: short key PASS
Test 2/4: long key (>64B) PASS
Test 3/4: empty message PASS
Test 4/4: NIST RFC 4231 vector PASS
=== Hardware-in-loop measurement (custom FPGA + compute bridge) ===
Proposal → disable: 12.77 ms
Auth → disable: 25.02 ms
Heartbeat → disable: 106.10 ms
Verified live: 8/8 simulation tests pass. Closed-loop hardware-enforced latency measured on custom FPGA + compute hardware. 12.77 ms from proposal to physical disable.
BOM and bitstream license for defense and industrial integrators. Co-design engagements for custody and wireless-power partners. Patent-protected enable-line architecture with HIL-validated latency. All engagements under NDA.