Every event in Summit.OS follows the same path: raw signal in, fused world model out,
AI scoring, mission creation, operator action. Here's what happens at each stage.
01
INGESTION // ADAPTERS
SENSOR DATA ARRIVES
Aircraft positions stream in via OpenSky ADS-B. Vessel locations arrive over AIS.
Satellites propagate from TLE data. Your custom sensors publish over MQTT or HTTP.
All of it hits the same adapter interface — Summit.OS doesn't care what the source is.
02
FUSION // WORLD MODEL
ENTITIES ARE FUSED
The Fusion service runs a Kalman Extended Kalman Filter over all incoming signals.
Multiple reports of the same object are merged. Positions are interpolated between
updates. The result is a clean, unified world model — one record per real-world entity,
updated in real time and broadcast over WebSocket to every connected operator.
03
INFERENCE // AI CORE
AI SCORES EVERY ENTITY
The Intelligence service runs ONNX inference on the live world model. A mission
classifier scores each entity against trained threat patterns. A risk scorer assigns
severity tiers (LOW / MEDIUM / HIGH / CRITICAL). This happens continuously, not just
on arrival — an entity's score changes as its behavior evolves. No LLM required;
the ONNX models run locally on CPU.
04
TASKING // MISSION ENGINE
MISSIONS ARE CREATED
High-severity scores trigger the Tasking service, which creates a mission in the
state machine (PENDING → ACTIVE → COMPLETE). Depending on risk tier, missions are
either auto-dispatched or held for human approval. Asset assignments, drone coordination,
and intervention tracking all live here. Every state change is logged with a timestamp
and the operator or automated system that triggered it.
05
OPERATOR // CONSOLE
OPERATOR SEES AND ACTS
The operator console receives the live world model over WebSocket. Alerts land in the
queue. The operator investigates — the map flies to the entity, a detail panel slides in.
They review the AI assessment and tap DISPATCH. The mission is confirmed, assets are
tasked, and the incident moves to resolution. The full loop, start to finish, is designed
to take under 3 seconds of operator time for a known entity type.
OPERATOR WORKFLOW
ALERT IN. DECISION OUT.
This is what it looks like in practice. An anomaly is detected. What happens next.
T+00:00 // DETECTION
ANOMALY DETECTED
A sensor reports an entity behaving outside normal parameters. The fusion pipeline
merges corroborating signals. The AI classifier flags it. An alert is created with
severity, a description, and a link to the source entity.
AUTOMATED
T+00:01 // ALERT QUEUE
ALERT APPEARS IN QUEUE
The alert lands in the operator's queue, color-coded by severity. On high or critical
alerts, the entity pulses on the map automatically. The operator sees the alert
description without needing to find the entity manually.
OPERATOR NOTIFIED
T+00:03 // INVESTIGATION
OPERATOR INVESTIGATES
The operator clicks INVESTIGATE. The map flies to the entity in 800ms.
The entity detail panel slides in from the right — showing position, velocity,
type, history, and the AI's risk assessment. All the context needed to make
a decision is in one place, no tab-switching required.
< 3 SECONDS OPERATOR TIME
T+00:05 // DISPATCH
OPERATOR DISPATCHES
The operator reviews the AI assessment and taps DISPATCH. A mission is created,
assets are assigned, and the state machine moves to ACTIVE. The panel closes.
The operator is back in the queue in under 10 seconds total, incident owned.
MISSION CREATED
T+ongoing // TRACKING
MISSION TRACKED TO CLOSE
The mission lives in the COMMAND view alongside every other active incident.
Asset status, intervention records, and timeline are updated in real time.
When the incident resolves, the operator marks it complete. Every action
is timestamped in the append-only audit log.
FULL AUDIT TRAIL
ACCESS CONTROL
WHO GETS IN. HOW THEY PROVE IT.
Summit.OS ships with auth off by default so you can run it locally without setting up
an identity provider. Flip the flags and every endpoint is locked down.
[DEV]
DEV MODE
DEFAULT // LOCAL ONLY
No auth required. Run docker compose up and every
endpoint is open. Designed for local development and demos. Never run this on a
public network — the API will warn you at startup if security flags are off.
[OIDC]
SSO / OIDC
PRODUCTION // SET OIDC_ENFORCE=TRUE
Plug in any OIDC-compatible provider: Keycloak (self-hosted, free), Auth0, Okta,
Google Workspace, GitHub. The API gateway validates JWT tokens on every request.
Users log in through your provider — Summit.OS never sees their password.
[MFA]
TOTP / AUTHENTICATOR
OPTIONAL // SOFTWARE-BASED
Standard 6-digit one-time codes. Works with any TOTP app: Google Authenticator,
Authy, 1Password, Bitwarden. TOTP secrets are encrypted at rest with AES-256-GCM
before being stored. Backup codes are hashed with Argon2id.
[KEY]
HARDWARE KEY
HIGHEST SECURITY // YUBIKEY + FIDO2
Physical USB/NFC security keys. Two modes: FIDO2 (tap to sign — no code to type,
phishing impossible), and Yubico OTP (press button, 44-char one-time code validated
against YubiCloud). All YubiKey 5 Series, Bio, and FIPS variants are supported.
[RBAC]
ROLE-BASED ACCESS
OPTIONAL // SET RBAC_ENFORCE=TRUE
Roles come from JWT claims. Built-in: OPERATOR (read + dispatch), COMMANDER (read +
approve), ANALYST (read-only), ADMIN (full access), SUPER_ADMIN (Enterprise only —
org management). Set RBAC_ENFORCE=true to reject requests with missing or
insufficient role claims.
[API]
API KEYS
SERVICE ACCOUNTS // SET API_KEY_ENFORCE=TRUE
For machine-to-machine integrations. Scoped keys with expiry and rotation support.
Each key is associated with a role so it inherits RBAC rules. API keys are hashed
before storage — if the database is compromised, raw keys are not exposed.
Every technical control required for SOC2 compliance is built in — Argon2id, AES-256-GCM
field encryption, append-only audit logs, TLS, RBAC, geoblock. Off by default for local
dev; flip the env flags and it's a hardened production deployment. Summit.OS is built to
pass a SOC2 audit — not a shortcut around one.
ACTIVE
ARGON2ID PASSWORDS
OWASP 2024 recommended parameters (64MB memory, t=3). The hardest standard algorithm to brute-force if your database is ever stolen.
ACTIVE
AES-256-GCM FIELD ENCRYPTION
PII fields are encrypted at the application layer before hitting the database. A stolen database dump is unreadable without the encryption key.
ACTIVE
APPEND-ONLY AUDIT LOG
Every API call is logged with user, IP, path, and latency. Logs are batched to S3 for tamper-proof retention. Configurable 90-day pruning on the DB copy.
ACTIVE
POSTGRES TLS
All database connections require TLS (sslmode=require). Self-signed certs are generated at setup. Swap for CA-signed in production.
ACTIVE
GEOBLOCK // 7 COUNTRIES
Hard blocks on KP, CN, RU, IR, AF, IL, BY at the API gateway. MaxMind GeoLite2 database refreshes automatically every 24 hours. Returns HTTP 451.
ACTIVE
RATE LIMITING
Per-IP rate limits on all public endpoints via slowapi. Auth endpoints are separately limited (5/min for TOTP, 5/min for WebAuthn auth).
ACTIVE
TRIVY SECURITY SCANNING
Every push to GitHub triggers CVE scans on all Docker images and Python dependencies. Secret detection runs across the full commit history.
ACTIVE
mTLS + TRAEFIK
Optional mTLS proxy for service-to-service encryption. Traefik handles HTTPS termination with automatic Let's Encrypt certs for public deployments.
ACTIVE
SECRETS VAULT CHAIN
Priority chain: Infisical → HashiCorp Vault → env vars. Swap backends at deploy time without code changes. No secrets ever need to live on disk in production.
HARDWARE INTEGRATION
CONNECT ANYTHING.
Summit.OS doesn't care what your hardware is. Drone, robot, CCTV camera, weather station,
Modbus PLC, AIS transponder — if it produces data, it can talk to Summit.OS. Built-in adapters
handle the most common sources. For everything else, the SDK is 10 lines of Python.
SUPPORTED PROTOCOLS
MAVLINK
DJI, ArduPilot, PX4, any autopilot. Full telemetry + command.
RTSP / ONVIF
IP cameras, CCTV, PTZ. Discovery + stream registration.
MODBUS
Industrial PLCs, sensors, RTUs over TCP or serial.
Live aircraft via OpenSky. Or plug in a local SDR receiver.
AIS
Maritime vessel positions. Simulation built-in, or connect AISHub.
CoT / ATAK
Cursor-on-Target bidirectional UDP. ATAK team integration.
MQTT
Any IoT device. Temperature, pressure, vibration, anything.
HTTP / REST
Poll any web API. Webhooks. Generic JSON/XML sources.
SERIAL / CAN
Raw serial devices, vehicle CAN bus, embedded sensors.
CUSTOM
Subclass BaseAdapter. If it produces data, it works.
WRITE A CUSTOM ADAPTER // ~10 LINES
MY_SENSOR // CUSTOM ADAPTER
from summit_sdk import BaseAdapter, AdapterManifest, EntityBuilder, Protocol, Capabilityclass MySensorAdapter(BaseAdapter):
MANIFEST = AdapterManifest(
name="my-temperature-sensor",
version="1.0.0",
protocol=Protocol.MQTT,
capabilities=[Capability.READ, Capability.STREAM],
entity_types=["ASSET"],
)
async def run(self):
while not self.stopped:
reading = await self.read_sensor() # your hardware call
entity = (EntityBuilder(self.device_id, "ASSET")
.position(reading.lat, reading.lon, reading.alt)
.metadata("temperature", reading.celsius)
.metadata("unit", "sensor-station")
.build())
self.publish(entity) # → Summit.OS world modelawait self.sleep(10) # poll every 10s# Run it$python my_sensor_adapter.py
✓Adapter registered → entity streaming → visible on map
The adapter publishes entities over MQTT. Summit.OS picks them up, runs them through fusion,
scores them, and displays them on the map — all automatically. The only thing you write is
the hardware read logic. See packages/adapters/examples/ for
complete templates for drones, cameras, PLCs, and weather stations.
MISSION SYSTEM
CREATE A MISSION. THREE WAYS.
A mission is an assigned task with a type, a target entity, an asset, and a lifecycle.
It can be created by the operator, by the AI, or directly via the API.
Every mission goes through the same state machine regardless of how it was created.
MISSION TYPES
TYPE // SURVEY
SURVEY
Cover a defined area. Used for fire-spread mapping, search grids, field inspection.
TYPE // MONITOR
MONITOR
Watch a specific entity or location. Loiter, track, and report status changes.
TYPE // SEARCH
SEARCH
Active SAR pattern. Systematic coverage of a zone with missing person or vessel protocols.
TYPE // PERIMETER
PERIMETER
Patrol a boundary. Security zone enforcement, fence inspection, border monitoring.
TYPE // DELIVER
DELIVER
Asset delivery to a waypoint. Medical supply drops, equipment transfer, logistics.
TYPE // INSPECT
INSPECT
Close-range inspection of a specific target. Pipeline, powerline, structure, or vessel.
TYPE // ORBIT
ORBIT
Circle a point of interest at altitude. Wide-area observation, incident watch.
MISSION LIFECYCLE
PENDING
CREATED
→
PENDING APPROVAL
HIGH RISK ONLY
→
ACTIVE
IN PROGRESS
→
COMPLETE
RESOLVED
THREE WAYS TO CREATE A MISSION
METHOD 01 // OPERATOR UI
DISPATCH BUTTON
Alert fires → operator clicks INVESTIGATE → reviews AI assessment → taps DISPATCH.
Mission type is suggested by the classifier. Operator can override before confirming.
Zero typing required for routine incidents.
METHOD 02 // AUTONOMOUS
AI AUTO-DISPATCH
For LOW and MEDIUM risk incidents, the tasking service creates missions automatically
when the classifier fires. No human in the loop for routine events. HIGH and CRITICAL
always require operator approval — the state machine enforces this and cannot be bypassed.
METHOD 03 // API
REST API
Create missions programmatically from any external system. Your existing dispatch
software, a scheduler, or a custom workflow can POST a mission directly.
Full API docs at localhost:8000/docs.
AGPL v3. No lock-in. Summit.OS is a foundation — like Linux for autonomous ops.
The platform is open, the ecosystem is yours to shape. Commercial license available
for proprietary deployments.