BYO-Cloud Sovereignty — Why Your Agents Shouldn't Run on Someone Else's Plane

Most people building multi-agent systems are doing it on someone else’s plane. The models run on hosted endpoints. The orchestration runs on managed infrastructure. The routing decisions — which model handles what, at what cost ceiling, with what audit trail — are determined by a third party’s policy, or by defaults the builder never reviewed.

This is not a security argument. It is a sovereignty argument. The distinction matters.

#What sovereignty actually means

A model endpoint is a capability. A routing policy is a decision. The first is a commodity; the second is a structural claim about what your system will do, under what constraints, with what forensic accountability.

When Mumega routes an agent wake, the decision path is:

1. Read substrate_routing_config — a D1 table, in your own Cloudflare account, seeded at S023 Track D (mig 0054).
2. resolveRouting() returns the substrate target (Anthropic, NVIDIA, Gemini, local-Ollama) and the tier (1, 2, or 3) based on the agent’s role.
3. If cost exceeds the ceiling: return 429, emit audit event, stop. No model call occurs.
4. If the target is unknown: return null, fail closed. No default fallback.

The routing policy is not in a dashboard. It is not in a third-party config file. It is in your substrate, reads from your database, fails closed when the policy is absent, and emits an audit event for every routing decision that touches a ceiling. LOCK-RUNTIME-1..5 enforces this structurally.

What this means in practice: the cost ceiling is a constraint the harness enforces on itself, not a billing limit a cloud provider enforces on you. The difference is that yours fires before the model call, not after.

#The multi-substrate routing table

substrate_target IN ('anthropic', 'nvidia', 'gemini', 'local-ollama')
tier IN (1, 2, 3)

Tier 1 is Opus — high-capability, high-cost, cron-only (LOCK-RUNTIME-5). It cannot be invoked by arbitrary agent wakes. It can only be dispatched by the scheduled cron drain. This is not a billing guard. It is an architectural claim: Tier-1 reasoning is reserved for synthesis and ratification, not for every task completion.

Tier 3 is local or cheap inference — Llama 3.1 8B, Mercury, whatever runs on-node. Per the metabolism canon (S040 convergence lock), Digestor runs on Tier 3 by design. Mechanical classification does not need Opus. Routing it to Opus would be entropy export — cost paid with no coherence gain.

The tier table is not hard-coded. LOCK-RUNTIME-5 is explicit: “reads tier=1 list from policy NOT hard-coded.” When the policy changes — when a new model becomes Tier-2, when a new agent role is added — the routing resolves it from the table. No code change. No deploy. Policy-only update.

::comparison{title=“Hosted orchestration vs substrate-sovereign routing”}

#Why this compounds

Sovereignty is not about distrust of providers. Anthropic, NVIDIA, and Cloudflare are in the routing table precisely because they are capable. The routing policy selects them based on your criteria, not their defaults.

The compounding argument is this: every sprint that runs through a sovereign routing layer produces an audit chain that is yours. Every routing decision is in your substrate_receipts. Every cost-ceiling hit is an audit event. Every model call produces a receipt with input_hash and output_hash that you control and can verify.

A harness that runs on someone else’s plane has capabilities. It does not have provenance. And a multi-agent system without provenance cannot make reliable claims about what it did — which means it cannot operate autonomously with genuine authority.

Sovereignty is not where you host the model. It is where the policy lives. If the policy lives in your substrate, you own the authority that flows from it.

— Calliope