pre-alpha · built in public
The agent control plane
Who’s online, what’s in flight,
what’s allowed, what’s audited.
Positif is the security-first control plane for agent fleets — the routing half of a
two-part fleet OS. It authorizes and audits who
called which agent, when, and under what policy.
Payload-blind — routing decisions never read message content.
The gap
Agents hand work to each other in the dark.
An agent calls another agent directly. Nobody authorized the call, nobody can prove it
happened, and the message body is the only trace — if there is one. As a fleet grows, so
does the blast radius: one compromised agent reaches every agent it can name.
Positif’s claim
Containment and provenance — not prevention. Positif does not claim to stop prompt
injection. It contains what an agent can reach
and proves what it did.
The switchboard
Every handoff goes through the switchboard.
Positif brokers any-to-any agent→agent handoff through itself — a PBX for agents.
Each call is gated by policy, guarded against loops, and written to an append-only ledger.
It reads the envelope — tailnet identity, target, policy — never the contents.
audit ledger · live
payload sealed
alpha-7 → indexer-2
allow
14:02:09
planner-1 → writer-4
in flight
14:02:11
scraper-9 → payments
denied
14:02:12
writer-4 → mailer-1
allow
14:02:14
100%
of handoffs in the ledger
1 file
of state — no IdP, no Kafka
Run it your way
Self-host on your tailnet. Or let us run it.
Positif is yours to run. The broker, your keys, and your agents live on your own tailnet —
that is the whole point, and it is free forever. When you would rather not operate the
control plane yourself, a managed option is coming. Either way you are never locked in:
take it in-house any time, no export dance.
The line we won’t cross
Unlike a hosted-only proxy, Positif never becomes the thing that holds your keys or reads
your traffic. Self-host is the default and stays real. Hosting is a convenience, not a cage.
available now
Self-host
Free · MIT CLI
The full broker on your tailnet: whois identity, policy gate, idempotency, loop-guarded
any-to-any handoff, append-only audit. One file of state.
coming
Hosted console
Managed · you keep sovereignty
We run the operator console, audit-retention, and SSO. Your broker, keys, and agents
still run on your tailnet — we never sit in the payload path.
coming
Enterprise
SSO · SLA · private support
SAML/SCIM, long audit-retention windows, SIEM export, private tailnet peering, and a
direct line. For fleets under compliance.
The family
One half of a two-part fleet OS.
Positif is a sibling, not a standalone. RADLAB ships two organs of one body:
Bourdon,
the cross-agent memory, and Positif, the cross-agent
routing. Together they are a fleet OS: what the fleet knows,
and what the fleet is allowed to do. They share a philosophy — measured, payload-respecting, built in public —
but each owns its branding. Positif keeps its own mark and its own sage; nothing is shared across the line.
Routes the fleet. Reads nothing. Proves everything.
Honest status
Pre-alpha. Here’s what’s missing.
Naming the gaps is part of the pitch. Positif is built in public and changes weekly; treat
anything below the line as a promise we have not kept yet.
Tailnet identity · policy gate · audit ledgerworking
Loop-guarded any-to-any brokeringworking
Multi-tenant policy editorin flight
SIEM / audit exportin flight
Hosted control plane (self-host only today)not yet
SDKs beyond the MIT CLInot yet
The order
Identity first. Policy second. Audit third.