SEEDRIFT

Reclaim by obligation.
Never on a timer.
Never without proof.

A closed loop that frees expensive storage the instant it is provably safe. No timers. No unverified deletes. No data you can't get back.

Request private beta Our approach
Verify before deleteEarliest-safe-reclaimNever by ageFail closedProvably byte-identicalCounterparty-truthResumable through failureNothing leaves until it's safe Verify before deleteEarliest-safe-reclaimNever by ageFail closedProvably byte-identicalCounterparty-truthResumable through failureNothing leaves until it's safe
01 / The problem

You delete by the clock.
The clock lies.

Every system that moves large data hits the same wall and reaches for the same broken proxy.

01

It deletes on a timer.

After N days. After last-access. Easy to automate, and wrong at exactly the moment being wrong is catastrophic.

02

It calls age a proxy.

The real question is who still requires this, and until when. Age has never been able to answer that.

03

It trusts the transfer.

It frees the source on "copy reported done," not on proof the bytes actually survived the trip.

04

It hands you the loop.

You wire schedulers, movers and checksums together with scripts. No product ships the finished loop.

Every irreversible data loss started as a confident delete.We make confident mean proven.

02 / Introducing Seedrift

Reclaim by obligation.
Verify before delete.

Two ways to free a costly tier. Only one of them is safe to leave unattended.

Age-based
file age > N days? DELETE
RISK   deletes data still under an unmet obligation. Irreversible.
Seedrift
asset all clocks clear? verified copy? RECLAIM
SAFE   every obligation satisfied and a byte-identical copy proven first.
03 / What you get

Four guarantees, one engine.

Obligation graph

One asset, many independent clocks held by different counterparties, resolved into a single safe decision.

Verify before delete

The source is freed only once the destination is provably byte-identical. Fail-closed by construction.

Earliest-safe instant

Not a fixed number of days. The soonest moment every obligation clears or is provably transferable.

Resumable

Idempotent and re-runnable from any partial state, across stores that each fail differently.

04 / Our approach

Proof beats guesswork.

The engine is small and never relaxed. Three moving parts, one rule.

01

Build the graph

Model every obligation on an asset as an independent clock with its own counterparty and clearing condition.

02

Solve earliest-safe

Compute the soonest instant every binding clock is satisfied or provably transferable. Never sooner.

03

Verify, then release

Prove a byte-identical copy landed across stores. Only then is the source freed. Any doubt: hold.

05 / Seedrift vs age-based lifecycle

The honest comparison.

Decisions backed by proof of obligation
Seedrift
100%
Age-based
~0%
Deletes without a verified copy
Seedrift
0
Age-based
unbounded
Storage held past the earliest-safe instant
Seedrift
~0d
Age-based
N days
Irreversible-loss exposure
Seedrift
none
Age-based
catastrophic
06 / Capabilities

What the loop actually does.

01

Heterogeneous obligation graph

Time, ratio, acknowledgement and hold-based clocks, tracked independently per asset.

02

Counterparty-truth

Decisions read the obligation holder's real state, never a local cache that can drift.

03

Cross-store placement

Resumable, rate-aware handoff across stores that each report success differently.

04

Idempotent recovery

Every stage re-runs from an unknown, partially-broken state without double-acting.

05

Quarantine, never misfile

Low-confidence placement is flagged and held, not confidently put in the wrong place.

06

Fail-closed by default

Ambiguity always resolves to "do not delete." Safety is the construction, not a setting.

07 / By the numbers

The metrics that matter.

N→1
obligation clocks, one decision
0
deletes without a verified copy
~0d
held past the safe instant
100%
verify-before-delete
08 / Engineered

Built for the paranoid.

Moving the bytes is the easy part. Proving release stays safe, continuously, against systems that lie, is the rest. We built that proof. Copying it is the hard part.

  • Constraint solving across heterogeneous obligation clocks (time, ratio, ack, hold), each with a different counterparty, per asset.
  • Transferability proofs: deciding when a duty can move to a cheaper holder instead of blocking reclaim.
  • Provably fail-closed under stale state, partial failure, and the machine dying mid-run.
+13dmedian storage freed earlier than a fixed policy
0obligation breaches, by construction
COREEarliest-safe solver
01Obligation graph
02Verifier
03Cross-store placement
04Domain adapters
05Audit trail
06Recovery / resume
09 / The loop, live

Not a timer. A solver.

  seedrift://localhost · evaluating
λ seedrift evaluate asset/0x7F3A █████████ ██████ SEEDRIFT ████████ obligation-aware reclaim · v0.9 [graph] asset 0x7F3A · 4 obligations · 18.4 TB [clock] retention .......... cleared [clock] downstream-ack ..... cleared [clock] sla-dwell .......... cleared [clock] legal-hold ......... ACTIVE · clears in 13d 6h [solve] blocking ........... legal-hold [solve] transferable? ...... yes → escrow:cold-2 (cost 0.4%) [solve] earliest-safe ...... now, via transfer [verify] destination ........ byte-identical ✓ [verify] duty re-bound ...... escrow confirmed ✓ decision: SAFE TO RECLAIM (3 cleared · 1 transferred · copy verified) source release: authorized reclaimed 18.4 TB · 13 days earlier than fixed policy · breaches 0 λ
10 / Where it fits

One core. Swappable adapters.

The vocabulary changes per domain. The algorithm does not.

A

Regulated retention

Never delete under a legal or regulatory hold. Prove the verified copy landed first, with an audit trail by construction.

B

Media production

Drain expensive online edit storage without ever cutting a clip an active production still references.

C

Research / HPC

Land results in durable storage, provably, before the scratch purge deadline fires and the work is gone.

D

Cost-bound infra

Reclaim the expensive transient tier the moment it is provably safe, not a fixed number of days later.

Your domain.

If a counterparty can punish premature deletion, it's an adapter. Three questions: who can punish release? when does each clock clear? what proves the handoff? The engine never changes.

▸ one adapter, not a rewrite
11 / FAQ

Questions worth asking.

What is Seedrift, in one line? +
An obligation-aware data-lifecycle engine: it reclaims expensive storage at the earliest provably-safe instant, never on a timer, and never without a verified copy.
How is this different from HSM or cloud lifecycle rules? +
Those trigger on age or last-access. Seedrift triggers on a heterogeneous external-obligation graph, with verify-before-delete and cross-store placement welded into one unattended loop. That specific combination is the difference.
What is an "obligation"? +
Anything that makes premature deletion costly: a retention period, a legal hold, an SLA dwell time, a downstream consumer that has not confirmed receipt, a compute window. Each is tracked as its own clock.
What does "verified" actually mean? +
Byte-identical, confirmed by content hash on the destination store itself, not by a transfer tool reporting success. No proof, no delete.
What happens when something is ambiguous? +
It fails closed. Any doubt resolves to "do not delete." Safety is the construction, not a configurable option.
Can it survive infrastructure failing mid-run? +
Yes. Every stage is idempotent and resumable from an unknown, partially-broken state, including the machine running it disappearing mid-step.
How do new domains get supported? +
A small adapter answers three questions: who can punish release, when each clock clears, and what proves the handoff. It inherits the solver, verifier and placement unchanged.
When can I use it? +
The private beta is opening soon, rolling out to obligation-heavy teams first.

Nothing leaves until it's provably safe.

That is the entire promise, and the entire product.

Private beta · opening soon How it works
View
seedrift.com · rendered for machines · markdown
SEEDRIFT obligation-aware data lifecycle Sections: [The problem](#problem) [The shift](#intro) [Our approach](#approach) [Where it fits](#fit) [FAQ](#faq) [PRIVATE BETA](#waitlist) [HUMAN VIEW](toggle)
# Seedrift Obligation-aware data lifecycle. Reclaim by proof, never by a timer. > Reclaim by obligation. Never on a timer. Never without proof. A closed loop that frees expensive storage the instant it is provably safe. No timers. No unverified deletes. No data you can't get back.
## 01 / The problem You delete by the clock. The clock lies. - It deletes on a timer. After N days, after last-access. Wrong when being wrong is catastrophic. - It calls age a proxy. The real question is who still requires this, and until when. - It trusts the transfer. It frees the source on "copy reported done," not on proof. - It hands you the loop. No product ships the finished, unattended whole. Every irreversible data loss started as a confident delete. We make confident mean proven.
## 02 / The shift Age-based: file -> age > N days? -> DELETE (risk: irreversible) Seedrift: asset -> clocks clear? -> verified? -> RECLAIM (safe)
## 03 / What you get - Obligation graph: one asset, many clocks, one safe decision. - Verify before delete: freed only once provably byte-identical. - Earliest-safe instant: the soonest moment, not a fixed delay. - Resumable: idempotent across stores that fail differently.
## 04 / Our approach 1. Build the graph: every obligation as an independent clock with its counterparty. 2. Solve earliest-safe: soonest instant all binding clocks clear or transfer. 3. Verify, then release: prove a byte-identical copy landed, then free the source.
## 05 / Seedrift vs age-based metric seedrift age-based decisions backed by proof of obligation 100% ~0% deletes without a verified copy 0 unbounded storage held past earliest-safe ~0d N days irreversible-loss exposure none catastrophic
## 06 / Capabilities - Heterogeneous obligation graph (time, ratio, ack, hold), per asset. - Counterparty-truth: reads the holder's real state, not a local cache. - Cross-store placement: resumable, rate-aware, across lying stores. - Idempotent recovery from any partial, broken state. - Quarantine, never misfile. - Fail-closed by default.
## 07 / By the numbers N->1 obligation clocks resolved into one decision 0 deletes without a verified copy ~0d held past the earliest-safe instant 100% verify-before-delete
## 08 / Engineered Built for the paranoid. Moving the bytes is the easy part; proving release stays safe, continuously, against systems that lie, is the rest. - Constraint solving across heterogeneous obligation clocks. - Transferability proofs: move a duty to a cheaper holder vs blocking reclaim. - Provably fail-closed under stale state and mid-run failure. KPIs: +13d median storage freed earlier than a fixed policy; 0 breaches.
## 09 / Decision object { "decision": "reclaim", "gate": "obligation_graph", // never age "obligations": [ {"type":"retention","state":"cleared"}, {"type":"downstream_ack","state":"cleared"}, {"type":"legal_hold","state":"transferred","to":"escrow:cold-2"} ], "verify": {"mode":"byte_identical","result":"pass"}, "on_ambiguity": "fail_closed", "idempotent": true, "reclaimed_tb": 18.4, "earlier_than_fixed_policy_days": 13, "breaches": 0 }
## 10 / Where it fits - Regulated retention: never delete under hold; prove the verified copy first. - Media production: drain edit storage without cutting a referenced clip. - Research / HPC: land results durably before the scratch purge fires. - Cost-bound infra: reclaim the expensive tier the moment it is safe. Your domain: if a counterparty can punish premature deletion, it is an adapter. Three questions: who can punish release, when each clock clears, what proves the handoff. The engine never changes.
## 11 / FAQ Q: What is Seedrift, in one line? A: An obligation-aware data-lifecycle engine: reclaims storage at the earliest provably-safe instant, never on a timer, never without a verified copy. Q: How is this different from HSM or cloud lifecycle rules? A: Those trigger on age. Seedrift triggers on a heterogeneous obligation graph, with verify-before-delete and cross-store placement in one unattended loop. Q: What does "verified" mean? A: Byte-identical, confirmed by content hash on the destination store itself. Q: When can I use it? A: The private beta is opening soon, obligation-heavy teams first.
--- Copyright © 2026 agnt. All rights reserved. seedrift://agnt · private beta