The security architecture is Industrial Independence. Conversational Factory is the open, local product that fills it — the sovereign, auditable deployment you run on-site, and the safe access a hosted query plane (modelpond) reaches into. Nothing flows back — enforced by the transport, not by policy. The code is yours to read.
A working plant is already full of pools of data — Modbus registers, controller context, alarm and batch logs — most of it untapped, the rest consolidated into a historian inside the trusted network. The people and the AI that need to ask it questions are outside that boundary — by design, and for good reason.
Every outbound path is an inbound risk. A query API, a database port, a VPN — anything that can answer a question from outside is something an attacker can reach the plant through.
Copying data to the cloud or to IT means a new attack surface that still has a route home. A breach of the copy becomes a breach of the plant if any return path exists.
So the answer goes through a sysadmin in another building — slow, manual, and gated — because the secure path and the convenient path have always been the same path, pointed both ways.
Industrial Independence is the security concept — sovereign-per-zone, one-way, security by architecture; an open spec anyone may implement. The role spec is the shape every conversational factory takes: ingest data plane → inside historian → one-way seam → outside copy → query plane. Conversational Factory is the open, local product that fills the shape — one coherent deployable bundle, every line auditable. The concept is canonical; the product is reference, and every role is swappable.
The query-plane slot is a socket: run CF's local query plane, point the hosted modelpond SaaS at your deployment, or bring your own. Coming soon — source-available. Request early access.
The authoritative historian on the protected side, in a standardized schema. The ingest data plane taps the plant's scattered pools of data — Modbus registers, controller context, alarm and batch logs — into it; the specific feed is a site detail. Complete and self-sufficient on its own — the plant never depends on anything outside the boundary.
A one-way sync protocol mirrors the inside historian outward — datagrams out, no acknowledgement, no return socket. Optionally enforced by a hardware data diode so the one-wayness is physical, not just configured. This is the moat.
A standardized copy of the historian on the outside. It is designed to be lost: own it completely and you have historical data and no way to reach anything. Standard schema, so any client, model, or downstream system can read it without bespoke glue.
An MCP server and tools ride on the outside copy, turning natural-language questions into reads and composing grounded, audited answers. Inference runs wherever the site allows: specialized small models on-prem at the edge, or any frontier or preferred model against the larger external dataset.
From the trusted historian to a grounded answer. The arrow never reverses — because there is no return socket to reverse it through.
Fig 03.1 · Inside → one-way → outside → MCP → answer. There is no inverse arrow because there is no return socket: the export is datagrams over a one-way transport, optionally a hardware diode. Compromise the entire outside and you hold a copy and no way back.
The seam is a one-way transport: datagrams out, no acknowledgement, no return socket. There is nothing to harden against an inbound exploit because there is no inbound. Optionally a hardware diode makes that physical.
The outside copy is meant to be lost. Own it completely and you hold historical data and no route to anything. The blast radius of an external breach stops at a copy.
The inside historian is authoritative and self-sufficient. Egress is additive. Cut the link entirely and the plant is unaffected — the only thing lost is the outside view.
The copy speaks a standard schema and read API. Swap clients, models, dashboards, or clouds without touching the boundary. No lock-in on either side of the seam.
Run specialized small models on-prem at the edge when the site is air-gapped, or point any frontier or preferred model at the larger external dataset when it isn't. Same data, same surface.
Forwarding the copy to a cloud or off-site server over MQTT in realtime is opt-in. The system is fully useful with zero outbound connectivity. Sovereignty is the default; reach is a choice.
The guarantee lives in the transport and the topology, not in policy, config, or a firewall rule someone can fat-finger. The one-wayness is a property of the wire, not a setting.
Every zone stands alone and complete for its scope. The inside/one-way/outside pattern is fractal across the plant hierarchy — cell, line, area, site.
A workstation. Docker. A browser. Optionally Claude Desktop. Brings up an inside historian, the one-way sync, the outside copy, and the MCP gateway — seeded with realistic fixtures so you can query it before pointing it at a real historian.
Full operator quickstart →$ git clone https://github.com/riverman-io/conversational-factory $ cd conversational-factory $ make first-run ok generated one-way sync keypair ok inside historian seeded with fixtures ok outside copy reachable ok mcp gateway healthy $ make up cf-inside-historian Up (healthy) cf-oneway-sync Up (egress only) cf-outside-historian Up (healthy) cf-mcp-gateway Up $ claude mcp add conversational-factory▍