Know what your AI agents are doing. Prove it later.
When you run more than one AI agent, they start talking to each other — and today, nobody’s
watching. Positif sits in the middle like a switchboard operator: every request between agents is
permission-checked, logged, and loop-protected before it goes through. It never reads the
messages — a phone bill, not a wiretap.
liveswitchboard · one call, five checkshover to pause
One AI agent asks another to do something. No one approved it, no record exists, and if
something goes wrong you can’t reconstruct what happened. The more agents you add, the
worse it gets — every agent wired to every other agent, one hijacked agent able to reach them all.
Positif replaces that tangle with a single governed relay. Drag to see it.
tangled meshone relay
⇆
N agents → N² possible paths. Positif → one governed relay, every hop on the record.
What Positif promises — and what it doesn’t
Positif won’t stop someone from tricking an agent with a malicious prompt. Nothing
reliably does that today, and we won’t pretend otherwise. What Positif does is
limit the damage — a tricked agent can only reach
what policy allows — and keep receipts: a permanent
record of everything it tried.
The switchboard
Every request goes through the switchboard.
Positif checks each call is allowed, makes sure agents aren’t stuck in a loop calling
each other, and writes it in a log that can’t be edited afterward. It reads only the
outside of the envelope — who’s sending, who’s receiving — never the letter inside.
12,482 routed214 denied+37 last hrjust now
audit ledgerpayload sealed
alpha-7 → indexer-2allow14:02:09
planner-1 → writer-4in flight14:02:11
scraper-9 → paymentsdenied14:02:12
writer-4 → mailer-1allow14:02:14
ALLOWED
86%
DENIED
9%
RATE-LIMITED
5%
0
message payloads read
100%
of requests in the ledger
1 file
to run it — no extra infrastructure
Try it yourself
Place a call through the switchboard.
Pick a caller and a target. Watch the envelope move through the pipeline — and watch the
ledger above catch the outcome. Notice what happens when a web-facing agent tries to reach
something sensitive.
The policy here is the real default: web-facing callers can’t reach sensitive targets.
Run it your way
Runs on your own private network. Or let us run it.
Positif is yours to run — on your own private network (via Tailscale), where your keys and
agents never leave. That is the whole point, and it is free forever. When you would rather
not operate the control plane yourself, a managed option is coming. Either way you are never
locked in: take it in-house any time, no export dance.
The line we won’t cross
Positif never becomes the thing that holds your keys or reads your traffic. Self-host is
the default and stays real. Hosting is a convenience, not a cage.
available now
Self-host
Free · MIT CLI
The full switchboard on your network: identity, policy, loop guard, append-only audit log.
One file of state.
coming
Hosted console
Managed · you keep sovereignty
We run the dashboard, log retention, and sign-on. Your switchboard, keys, and agents stay
on your network — we never sit in the message path.
coming
Enterprise
SSO · SLA · private support
SAML/SCIM, long log-retention windows, SIEM export, private network peering, and a direct
line. For fleets under compliance.
Positif is a sibling, not a standalone. RADLAB ships two organs of one body:
Bourdon,
the cross-agent memory, and Positif, the cross-agent
routing. Together they are a fleet OS: what the fleet knows,
and what the fleet is allowed to do. They share a philosophy — measured, payload-respecting, built in public —
but each owns its branding. Positif keeps its own mark and its own sage; nothing is shared across the line.