Rensei
DOC R-002 · PLATFORM REFERENCE · REV 2026-06-11sha256:ce44…81a9

00 · ABSTRACT

A workflow is a graph. The graph is the contract.

Deterministic workflow engine. Vendor-neutral provider routing. Four verification primitives derived from the architecture, not configured onto it.

Review the architecture with usRead the docs

REC 00sha256:a402…0c2dprev 95f0…d4e1build 2026-06-12T03:34Z

01 · COMPOSE

State what should happen. Review it like code.

Workflows are declarative, typed YAML living in the repo, so pull requests, CODEOWNERS, and reviewers apply unchanged. The file and the canvas are the same graph.

FIG 1.0
# sdlc-default · atlas-firmware (Meridian Robotics, demo)
# Excerpt. FIG 1.1 renders the compiled graph.
kind: WorkflowDefinition
metadata:
  name: sdlc-default

nodes:
  - id: intake
    type: trigger
    config: { nodeId: linear.issue-assigned }

  - id: triage
    type: action
    config: { nodeId: agent.dispatch_stage, stage: triage }

  - id: plan
    type: action
    config: { nodeId: agent.dispatch_stage, stage: plan }

  - id: implement
    type: group
    stages: [branch, code, self-review, commit]

  - id: tests
    type: action
    config: { nodeId: ci.run_checks, stage: qa }

  - id: test-gate
    type: gate
    config:
      gateKind: signal
      onFail: { dispatch: refinement, cap: 8 }

  - id: review
    type: action
    config: { nodeId: agent.dispatch_stage, stage: review }

  - id: sign-off
    type: gate
    config: { gateKind: approval }

  - id: merge
    type: action
    config: { nodeId: repo.merge }

# edges omitted in this excerpt
FIG 1.0 - SDLC workflow definition, YAML excerpt. FIG 1.1 renders the compiled graph.
FIG 1.1
sdlc-defaultMeridian Robotics / atlas-firmware
Run queueddemo replay
Issue assigned
Triage & scope
agent.dispatch_stage · triage
Write implementation plan
agent.dispatch_stage · plan
Implement4

branch · code · self-review · commit

Run test suite
ci.run_checks · qa
Tests green?Signal
passed
failed
Retry budget left?attempt < 3
YesNo
Refinement loopLoop ×3
group: grp_implementdelay: 30son max: escalate
Escalate to operator
fleet.escalate · human
Agent code review
agent.dispatch_stage · review
Reviewer sign-offHuman query
approved
rejected
Merge to main
scm.merge_pr
FIG 1.1 - The compiled execution graph replaying one run: the test gate fails, refinement re-enters implement, the second pass merges.

Figures are live component renders, not screenshots. Demo data.

REC 01sha256:5f24…8c11prev a402…0c2dbuild 2026-06-12T03:34Z

02 · COMPILE

Durable state. Replayable. Bounded.

Many platforms run the LLM as the control loop. Rensei takes the opposite stance: the compiler turns the graph into a durable execution plan whose control flow is deterministic code.

State persists at every step boundary, so a run survives crashes and redeploys and replays from the record for audit or selective re-run. LLMs run as bounded operators inside workflow steps: each call captures model version, prompt, and retrieved context, and every transition lands on the hash-chained audit trail.

FIG 2.0Replay 2026-06-09
Fleet topologyMeridian Robotics · autonomy-fleet
7 sessions · 3 issues · $8.11 today
MER-128implement
Torque telemetry drops samples under load
sessions
3
tools
164
cost
$3.82
MER-131review
Calibration replay harness for CI
sessions
3
tools
200
cost
$3.90
MER-119plan
Flaky depth-camera reconnect in fleet sim
sessions
1
tools
19
cost
$0.39
planner-01torque-fw
plannercompletedfable-5
6m 12s41$0.92
impl-02torque-fw
implementerrunningfable-5
18m 44s
123
$2.90
OK
Bashmake test - 3 failures, re-running torque suite
cost to date$2.90
smoke-01torque-fw
smoke-runnerqueuedhaiku-4-5
------
impl-04cal-harness
implementercompletedfable-5
24m 22s134$2.47
review-01cal-harness
reviewerrunningsonnet-4-5
9m 2s46$1.10attn
smoke-02cal-harness
smoke-runnerrunninghaiku-4-5
3m 8s20$0.33
planner-02fleet-sim
plannerrunningfable-5
2m 11s19$0.39
session streamreplaycaptured run · loops
  • 00:19impl-02Bashmake test - 3 failures, re-running torque suite
  • 00:13smoke-02Bashgo test ./replay/... - PASS (42/42)
  • 00:09review-01Grep"calibration_replay" - 14 matches across 6 files
  • 00:04impl-02Editfirmware/torque_sampler.c - guard ISR buffer flush
  • 00:00plan-02Readdocs/fleet-sim/reconnect.md
FIG 2.0 - Fleet topology with the sessions stream: agents, issues, and dispatch updates replayed on a scripted loop.

REC 02sha256:be75…10edprev 5f24…8c11build 2026-06-12T03:34Z

03 · SCALE

Three providers in production. The route is earned.

Three model providers run in production at Rensei today: Anthropic, OpenAI, and Google, each running host-session through the local daemon.

The capability matrix documents additional endpoint configurations (Bedrock, Vertex AI, Azure OpenAI, OpenAI-compatible, local), so the deck's larger integration count and this page's production count reconcile on inspection. Per-line provenance and survival measurement are live; the survival-to-posterior wiring is in active integration and closes during the design-partner phase.

FIG 3.0

Routing IntelligenceHot-path weighting activeThompson sampling · 30-day window

Every task type is a bandit. The fleet keeps a Beta posterior per model arm and routes work to whichever model is actually winning, while still spending a small exploration budget to keep the estimates honest.

Exploration rate
12.4%
of routed decisions
Avg confidence
79.8%
across all arms
Decisions
602
30-day window
Active arms
9
3 models in rotation
Next decision

Next review task routes to gpt-5.5: highest expected reward, 0.851 with a 95% CI of 0.78–0.92 across 92 observations. gemini-3.5-flash keeps a 12% exploration share on implement, where its interval is still 0.27 wide.

Posterior distributions, Beta(α, β) per model arm

0.000.250.500.751.00IMPLEMENT · 213 OBSroutes → claude-opus-4-8claude-opus-4-8n=90gpt-5.5n=71gemini-3.5-flashn=52REVIEW · 202 OBSroutes → gpt-5.5gpt-5.5n=92claude-opus-4-8n=69gemini-3.5-flashn=41TRIAGE · 187 OBSroutes → gemini-3.5-flashgemini-3.5-flashn=102claude-opus-4-8n=40gpt-5.5n=45

Provider posteriors

gemini-3.5-flash
triage
0.885
88.0%
102
$0.04
gpt-5.5
review
0.851
85.0%
92
$0.58
claude-opus-4-8
implement
0.848
85.0%
90
$1.84
claude-opus-4-8
triage
0.833
77.0%
40
$0.42
claude-opus-4-8
review
0.817
82.0%
69
$0.91
gpt-5.5
triage
0.809
77.0%
45
$0.27
gpt-5.5
implement
0.712
79.0%
71
$1.31
gemini-3.5-flash
review
0.674
72.0%
41
$0.11
gemini-3.5-flash
implement
0.556
73.0%
52
$0.24

Recent decisions

When
Model
Work type
Reward
Strategy
2m ago
gpt-5.5
review
0.913
Exploitation
9m ago
claude-opus-4-8
implement
0.882
Exploitation
17m ago
gemini-3.5-flash
triage
0.941
Exploitation
26m ago
gemini-3.5-flash
implement
0.418
Exploration
41m ago
claude-opus-4-8
review
0.857
Exploitation
58m ago
gpt-5.5
triage
0.792
Exploitation
1h ago
claude-opus-4-8
triage
0.866
Exploration

Real product UI · demo data from a fictional fleet (Meridian Robotics), 30-day window

FIG 3.0 - Thompson posteriors per provider, issue throughput, and code survival. Survival-to-posterior wiring: in active integration.

REC 03sha256:70b6…496bprev be75…10edbuild 2026-06-12T03:34Z

04 · INTELLIGENCE

Memory that survives the run.

Each run leaves a knowledge graph behind: code nodes and decision nodes joined by typed, confidence-labeled edges.

AST extraction covers TypeScript and JavaScript; extraction elsewhere is model-assisted. Reads are Cedar-authorized and land on the hash-chained audit trail, feedback weights update by exponential moving average, and the graph is tenant-scoped. Cross-tenant aggregation covers anonymized model-performance priors only.

FIG 4.0

Knowledge graph

Meridian Robotics · fleet-core · 49 entities · 66 relationships

Demo data
service

fleet-gateway

service

telemetry-ingest

service

path-planner

service

order-orchestrator

service

firmware-ota

service

auth-service

service

notification-hub

module

kinematics-core

module

occupancy-grid

module

task-scheduler

module

retry-queue

module

feature-flags

api

POST /v2/missions

api

POST /v2/telemetry/batch

api

GET /v1/robots/:id/firmware

api

webhooks/order-events

api

RobotControl (gRPC)

database

telemetry-tsdb

database

fleet-postgres

database

missions-redis

library

meridian-proto

library

px-motion-sdk

library

grid-codec

library

retryx

repository

meridian/fleet-core

repository

meridian/edge-firmware

repository

meridian/web-console

repository

meridian/infra

person

Priya Nair

person

Marcus Webb

person

Elena Vasquez

person

Tom Okafor

person

Sara Lindqvist

person

Dev Patel

team

Fleet Platform

team

Autonomy

team

Reliability

decision

ADR-014: Event-sourced missions

decision

ADR-019: gRPC for robot control

decision

ADR-022: TimescaleDB for telemetry

decision

ADR-027: Canary firmware rollouts

decision

ADR-031: Idempotent order webhooks

incident

INC-2041: Telemetry ingest backlog

incident

INC-2087: OTA rollback storm

incident

INC-2113: Duplicate mission dispatch

convention

Error-wrapping convention

convention

Idempotent migrations rule

convention

Proto compatibility policy

convention

Retry budget convention

Mini Map

Entity types

Node size reflects importance · click an entity for provenance

FIG 4.0 - Knowledge-graph explorer over a fictional codebase: search, legend filters, detail panel.

REC 04sha256:0ac6…0c92prev 70b6…496bbuild 2026-06-12T03:34Z

05 · VERIFY

Four verification primitives run in the execution path.

Cedar policy enforcement, hash-chained audit, fail-closed egress, and decision provenance are properties of the execution graph. The security disclosure walks each one.

FIG 5.0

Audit log

meridian-robotics/assembly-toolingdemo data · Jun 9, 2026 · UTC
Event
Entry hash
  1. genesis000000…000000
  2. Issue accepted
    d3c0de…b8656b
  3. Plan approved
    d3c0de…22eacd
  4. Decision dec_d3c0de24dd1c binds the model, prompt envelope, retrieved context, and policy ruling to one signed audit entry.
    Model
    claude-sonnet-4-5
    version: claude-sonnet-4-5-20250929
    Prompt envelope
    template: implementer.dispatch@v12
    sha256: d3c0dee3c9…b067e2f5d9
    tokens: 2,113 system · 18,402 input
    tools granted: git, fs.write (services/calibration/**), test-runner
    Retrieved context
    memobs_mem_a41f2c - “Calibration offsets are written by flash.ts, not the EEPROM map · w 0.82
    fileservices/calibration/flash.ts · w 0.74
    filedocs/runbooks/gripper-calibration.md · w 0.61
    issueMER-2841 · intake thread (4 messages)
    Policy ruling · Cedar
    ALLOWfleet.dispatch.scoped-write@v7
    matched rules: allow-implementer-scoped-write, require-branch-isolation
    policy hash: d3c0deebfd…e103274083
    Cryptographic proof
    entry hash: d3c0deede1f3360c9c77bee1e4bfbe8cb2eb073fd81df5d241c11d8573ebca0f
    sequence: 4183
    signature:ed25519 · DEMOSIGqNdHF/pEQtKdTnhST(key meridian-audit-2026a)
    Merkle inclusion: leaf 4183 / tree size 4,187
  5. Implementation complete
    d3c0de…e52bab
  6. Review approved
    d3c0de…5945d7
  7. Change merged
    d3c0de…3c339d
  8. Merkle checkpoint
    d3c0de…845dc2
Hash chaining and Merkle checkpoints prove the record you are reading is the record that was written: any edit, deletion, or reorder breaks the chain. Whether what was written is true is the job of decision provenance. All hashes shown are seeded demo values.
FIG 5.0 - Audit-chain verification with one expanded decision-provenance row: model, prompt envelope, Cedar permit, policy hash.

REC 05sha256:f9fe…6a2cprev 0ac6…0c92build 2026-06-12T03:34Z

06 · INTEGRATIONS

Rensei meets the systems auditors already credit, on their own ground.

No logo wall: each category states what crosses the seam today.

  • Source control

    Agent-authored changes arrive as pull requests in your repositories. Reviews, branch protection, and CODEOWNERS apply unchanged.

  • Issue tracking

    The dispatch loop works the backlog through 17 Linear MCP tools, shipped MIT across the donmai binary and its plugin packages.

  • Model providers

    Anthropic, OpenAI, and Google run in production today; the capability matrix documents additional endpoint configurations (Bedrock, Vertex AI, Azure OpenAI, OpenAI-compatible, local).

  • Identity

    Workspace sign-in runs through single sign-on, and sessions, policy decisions, and audit rows are tenant-scoped by construction.

  • Audit and SIEM

    Audit-chain segments export as signed JSON and verify against the published Ed25519 keys, inside whatever log store the audit team already runs.

  • MCP tooling

    17 Linear and 6 code-intelligence tools, shipped MIT across the donmai binary and its plugin packages; the plugin contract is published in the open-source runtime.

REC 06sha256:106e…652dprev f9fe…6a2cbuild 2026-06-12T03:34Z

07 · PATTERNS REJECTED

Three patterns this architecture rejects.

  • The LLM as the control loop

    When the model decides what runs next, the loop can rewrite its own record, and the audit trail becomes another model output. Rensei keeps the control loop in deterministic code; models run inside bounded steps, and every transition lands on the hash-chained audit trail.

  • The walled garden

    A runtime that cannot be inspected asks the buyer to take the execution layer on faith. The execution layer here is MIT-licensed, and the boundary between open source and the commercial control plane is published where anyone can read it.

  • Framework-only open source

    A framework without a runtime ships the hard parts back to the adopter: the daemon, the retries, the operational floor. Donmai is one Go binary with a persistent daemon and a dispatch loop, and the same runtime powers Rensei in production.

REC 07sha256:d3fc…5aa3prev 106e…652dbuild 2026-06-12T03:34Z

08 · CONTACT

Walk this reference against a real workflow.

One person reads this inbox, and every message gets a reply. Bring the workflow you would not hand an agent today, and we will trace it through every chapter above.

Confirm your email and the founder replies directly.

REC 08sha256:ac5d…e755prev d3fc…5aa3build 2026-06-12T03:34Z