The Guillotine#

The Ledger of Reality and Holographic Tombstones make state recoverable in software. The Guillotine makes state recoverable when the hardware itself misbehaves.

What it does#

When the GPU executing an agent’s workload encounters an invalid memory access, an arithmetic exception, or any other class of fatal compute fault, modern accelerators do not silently corrupt — they raise an asynchronous exception that the host is expected to handle. Most systems handle this by polling: the host runtime checks a status flag, eventually notices the fault, and tears the workload down.

Polling is too slow. By the time the host runtime has noticed, the corrupted tensor has propagated through the next layer of the network and the output is poisoned.

The Guillotine does not poll. ANNIE wires a dedicated, zero-allocation kernel thread directly into the accelerator’s hardware signal queue. The moment the silicon raises a fault, the thread wakes, atomically transitions the agent process into a halted state, and prevents the next computation from launching. Within the documented response-time budget on supported hardware, the faulted result does not reach the layer above it.

The name is deliberate. The cut is fast, irreversible at the agent-process level, and leaves nothing to argue about afterward.

Why it matters#

In an autonomous-agent setting, a corrupted tensor is not just a wrong answer — it is a plausible wrong answer, in the same shape and dynamic range as a correct one. There is no downstream check that can reliably distinguish “the model produced a bad answer” from “the model produced a poisoned answer due to a hardware fault.”

This is the worst kind of failure mode: it looks normal. If your agent has the authority to act on its outputs, a silent hardware fault can produce a catastrophic action that the audit log records as legitimate — one that every other layer of the stack will treat as such.

The Guillotine closes this gap by treating compute faults as first-class safety events, with response times measured in microseconds rather than milliseconds.

How you observe it#

A Guillotine event is recorded in the Ledger of Reality as a halt entry with:

• The fault classification reported by the hardware.
• The agent process identifier at the time of halt.
• The accelerator device identifier.
• A monotonic timestamp.
• The ledger entry of the last action approved before the fault.

The agent process is terminated. The license-bound daemon refuses to launch a replacement process from the same data directory without operator acknowledgement — silent restart of a process that was killed for hardware reasons would defeat the purpose.

The annie verify command will report any Guillotine event in the log alongside the ledger context surrounding it.

Response-time guarantee#

ANNIE commits to halting within a documented platform-specific budget from the hardware-fault event. The current target is a small number of microseconds on supported AMD ROCm hardware. This is a commitment, not an aspiration: every release publishes the measured worst-case latency alongside the documented budget, and a regression in this number is treated as a release blocker.

What it does not do#

The Guillotine halts the agent. It does not, and cannot, undo any action that was approved and dispatched to an external system before the fault. That is the job of the Ledger of Reality (for retrospective audit) and the application integrating ANNIE (for application-level compensation logic).

The Guillotine also does not protect against software bugs in the model or in the integrating application. Its scope is the silicon and the runtime around it. Application-level safety lives one layer up.

Related#

• The Iron Lung — the deterministic control loop whose budget the Guillotine fits inside.
• The Ledger of Reality — where halt events are anchored.