modekeeper 0.1.33

ModeKeeper: verify-first, read-only assessment for Kubernetes/GPU cost and risk

ModeKeeper

ModeKeeper is a verify-first, read-only assessment product for Kubernetes/GPU cost and risk, with customer-managed execution and a change-ready handoff pack for enterprise review. Apply/implementation is a separate licensed and gated path, not part of the public assessment path.

Start here (10 minutes)

Use these buyer materials. Canonical workflow: observe -> plan -> verify -> export. Procurement pack language below refers to ./bin/mk-procurement-pack outputs (report/procurement_pack/**), which are distinct from mk export handoff-pack artifacts.

• Buyer script: docs/BUYER_10MIN.md
• Proof-pack map: docs/PROOF_PACKS.md
• Synthetic proofs (file replay): docs/SYNTHETIC_PROOFS.md
• Buyer request checklist (pilot intake): docs/BUYER_REQUEST_CHECKLIST.md
• 20-min discovery call script: docs/OUTREACH_CALL_20MIN.md
• Outreach email templates: docs/OUTREACH_EMAIL.md

Proof snippet (synthetic replay, read-only):

• Run: ./scripts/e2e-synthetic-proofs-replay.sh
• Inspect the multi-signal “combo” summary (example):

# Scenario: combo
- trace: docs/evidence/mk060/observe_raw.jsonl
- active_signals: burst, drift
- k8s_plan_items: 4

What to expect:

• signals: drift + burst; k8s_plan_items: 4; dry-run only (no apply)

./bin/mk-procurement-pack

cd report/procurement_pack && sha256sum -c checksums.sha256

Verify-first means every deliverable is deterministic, accompanied by SHA256 manifests, and backed by reproducible transcripts. Validation should start from hashes and transcript evidence before any business review.

PRO note: private releases are notes-only. Deliverables are distributed via vendor-provided stamp + transcripts + SHA256.

Release channels and versioning

• Public (OSS / read-only): this repository + PyPI package modekeeper (wheel-only). GitHub Releases here track the public package.
• Enterprise PRO (licensed / gated apply): delivered separately as notes-only release metadata + vault-only deliverables (no GitHub assets attached).
• Why numbers can differ: public and PRO ship independently; the canonical PRO deliverable is always recorded in:
  • docs/SNAPSHOT.md (entrypoint)
  • docs/STATUS.md (latest release + vault + SHA256)

Contact

Documentation index: docs/INDEX.md

• Questions / feedback: GitHub Issues (preferred) and Discussions.
• Security issues: please use GitHub Security Advisories (private disclosure). See .github/SECURITY.md.

Reference docs

• Buyer journey: docs/BUYER_JOURNEY.md
• Product overview: docs/product.md
• Getting started: docs/GETTING_STARTED.md
• Quickstart: docs/QUICKSTART.md
• Security posture: docs/SECURITY_POSTURE.md
• Buyer proof pack: docs/BUYER_PROOF_PACK.md
• Procurement pack: docs/PROCUREMENT_PACK.md
• Proof packs overview: docs/PROOF_PACKS.md
• Handoff guide: docs/HANDOFF.md
• 10-minute buyer script: docs/BUYER_10MIN.md
• Enterprise evaluation: docs/ENTERPRISE_EVALUATION.md
• Current project status: docs/STATUS.md
• Workflow details: docs/WORKFLOW.md
• Self-serve k8s runner runbook: docs/K8S_RUNNER_SELF_SERVE.md
• Distribution boundary policy: docs/DISTRIBUTION_POLICY.md

60-second quickstart

python3 -m pip install -U modekeeper
mk --help
mk observe --source synthetic --duration 10s --out report/quickstart/observe
mk closed-loop run --scenario drift --observe-source synthetic --observe-duration 10s --dry-run --out report/quickstart/plan
PLAN="$(python3 -c 'import json; print(json.load(open(\"report/quickstart/plan/closed_loop_latest.json\", encoding=\"utf-8\"))[\"k8s_plan_path\"])')"
mk k8s verify --plan "$PLAN" --out report/quickstart/verify
mk export handoff-pack --in report/quickstart --out report/quickstart/handoff

# quickstart artifacts
ls report/quickstart
ls report/quickstart/observe
ls report/quickstart/plan
ls report/quickstart/verify
ls report/quickstart/handoff

Expected artifact roots:

• report/quickstart/observe (read-only telemetry capture)
• report/quickstart/plan (dry-run planning outputs)
• report/quickstart/verify (verify outputs)
• report/quickstart/handoff (handoff-pack export outputs)

Safety gates

Apply/mutate paths are blocked unless all required gates pass:

• verify_ok=true from verify artifacts
• kill-switch is absolute (MODEKEEPER_KILL_SWITCH=1 blocks apply)
• valid license and apply entitlement

Details and command contracts:

• docs/QUICKSTART.md
• docs/WORKFLOW.md

Public vs Pro

Public GitHub + PyPI (modekeeper) provides a verify-first, read-only assessment path (observe -> plan -> verify -> export) for Kubernetes/GPU cost and risk. ROI is supporting evidence with explicit assumptions, not a required stage in the canonical path. Outputs are designed as a change-ready handoff pack for enterprise review and customer-managed execution. Apply/mutate capabilities are disabled by default in public and reserved for licensed distribution; see boundary and release rules in docs/DISTRIBUTION_POLICY.md.