DECC is a hardware-enforced execution interlock built on a Basys3 FPGA and Raspberry Pi 5. Governance decisions cross into silicon, where attestation, authorization, and heartbeat liveness are measured in milliseconds and proved with SymbiYosys. When the substrate says deny, the relay opens — there is no software bypass.
DECC moves the enforcement boundary out of software. The Pi 5 holds the cognition layer; the Basys3 (Xilinx xc7a35t) holds the gate. Frames travel a 4 Mbaud UART link with cryptographic attestation, and the FPGA executes a SHA-256 + HMAC-SHA256 verification path proved correct via SymbiYosys before any enable line is asserted.
On the validated bench: proposal-to-disable 12.77 ms, auth-to-disable 25.02 ms, heartbeat-to-disable 106.10 ms. Bench breakdown: ~5 ms relay each way, ~2.5 ms net FPGA + software. With SSR substitution: projected ~0.3 ms end-to-end. GPIO-only path: 80 ns.
SHA-256 core (4/4 simulation tests pass) and HMAC-SHA256 core (4/4 simulation tests pass) implemented as RTL with formal proofs in SymbiYosys. SHA-256 pipeline retiming closed timing: WNS went from -4.770 ns to +0.530 ns. All eight simulation tests green.
UART upgraded from 115.2 kbaud to 4 Mbaud with CLKS_PER_BIT = 25 (0% timing error). Pi 5 RP1 divisor 3.125 (exact). Token frame time dropped from 2.43 ms to 70 µs (34.7× faster). Receipt time dropped from 1.91 ms to 55 µs.
Vivado build with ExtraTimingOpt, AggressiveExplore, and retiming directives. Bitstream maintained as pc_vivado_build/out/latest.bit. Full HIL validation report dated 2026-03-03 anchors the measured latencies above the GE-OS pipeline.
DECC is the silicon root of the WHL execution stack. It is where the abstract "deny" of policy becomes the concrete open-circuit of a relay. Three deployment patterns cover defense, industrial, and high-assurance commercial use.
FPGA-anchored mission gate beneath autonomous platforms — UAS, UUV, ground vehicles, weapons release. Heartbeat liveness, authorization tokens, and formal proofs replace soft kill-switches.
A hardware co-processor that sits between a PLC or robot controller and its actuator. Policy violations, drift, or stale-epoch tokens open the enable line in milliseconds, with a signed receipt of every denial.
SHA-256 + HMAC attestation in silicon for transaction signing. Pairs with Patent 7 analog-mixer physical authorization for two-domain confirmation (digital + analog) before any release.
Every layer above silicon can be patched, hooked, or impersonated. DECC moves the final gate to a place where the only way to bypass enforcement is to physically replace the FPGA. That is the moat: measurable latency, formally proved logic, and a relay that opens on denial.
A licensable hardware reference design with HIL-validated latency, formal proofs, and a published BOM. Suits DoD test programs, humanoid robotics safety stacks, and SIL-targeted industrial deployments. Patent-protected enable-line architecture.
A silicon root of trust that pairs naturally with Patent 7 (analog mixer) and Patent 22 (governed WPT). White-label reference platform for digital-asset custody, governed wireless power, and signed-receipt audit lanes.
DECC is not a thought experiment. hardware_proof_run.py is 1,257 lines of operational code that closes the loop: AI proposal → FPGA permit FSM → physical voltage gate → 24-bit ADC measurement → fail-closed watchdog. Six phases, all instrumented, all logged.
Watchdog timer arms. FPGA reads back its own bitstream identity. ADC zero-point and reference voltage calibrated.
Software proposes an action. Permit packet signed with HMAC, transmitted over governed UART to the FPGA.
FPGA FSM enters EVAL state. Local policy + nonce + epoch verified in hardware. State machine cannot be bypassed by software.
MCC172 24-bit ADC measures the FPGA-driven permit signal. Voltage must exceed HIGH_MIN (2.0V) to qualify as PERMITTED. Below threshold = fail-closed.
Continuous heartbeat between FPGA, ADC, and host. Loss of heartbeat for > N ms triggers hardware-level disable (no software path can prevent).
Every cycle generates a hash-chained receipt: proposal, signature, gate state, measured voltage, heartbeat trace, disposition. Receipts replayable for after-action review.
"Most 'hardware-anchored AI' systems anchor a key. We anchor an action. The voltage on the permit line is the action. No voltage, no action — and the voltage is measured by a separate 24-bit ADC, not the FPGA that's driving it."
Available as a reference implementation for SBIR Phase III, prime-contractor integration, and IEEE/embedded-systems publication.
FPGA simulation suite plus hardware-in-loop latency measurement.
$ iverilog -g2012 sim/sha256_core_tb.v sha256_core.v && vvp a.out
=== sha256_core simulation ===
Test 1/4: empty string PASS
Test 2/4: NIST FIPS-180 vector PASS
Test 3/4: 1MB random PASS
Test 4/4: boundary 64-byte PASS
=== hmac_sha256 simulation ===
Test 1/4: short key PASS
Test 2/4: long key (>64B) PASS
Test 3/4: empty message PASS
Test 4/4: NIST RFC 4231 vector PASS
=== Hardware-in-loop measurement (Basys3 + Pi5) ===
Proposal → disable: 12.77 ms
Auth → disable: 25.02 ms
Heartbeat → disable: 106.10 msVerified live: 8/8 simulation tests pass. Closed-loop hardware-enforced latency measured on Basys3 + Pi5 hardware. 12.77 ms from proposal to physical disable.
BOM and bitstream license for defense and industrial integrators. Co-design engagements for custody and wireless-power partners. Patent-protected enable-line architecture with HIL-validated latency. All engagements under NDA.