Positif is a security-first control plane for agent fleets — a switchboard that authorizes and audits every agent→agent handoff, on your own tailnet, without ever reading the payload. Start by self-hosting it in about five minutes.
pip install positif-ai —
the CLI is source-available, MIT for the
sbd client). Hosted and enterprise tiers are on the roadmap, not shipped.You need a machine on your Tailscale tailnet (the always-on box that will run the switchboard) and Python 3.12+. Positif keeps all of its state in one SQLite file and binds to your tailnet IP, so the tailnet does the hard identity work.
# the sbd CLI (MIT) + switchboard engine (BUSL-1.1)
pip install positif-ai
Creates the SQLite store and seeds the caller→target policy and agent cards.
sbd init --db /opt/positif-data/positif.db
Bind to your tailnet address so whois auth is real — the caller’s identity comes from the live request, resolved by tailscaled.
sbd serve --transport http \
--host 100.x.y.z --port 7600 \
--db /opt/positif-data/positif.db
Drop an A2A card describing the agent (transport, endpoint, sensitivity) and a trusted-only policy row, then re-init. See the fleet-node kit for the safe-by-default template.
Call the dispatch MCP tool from any tailnet caller. Positif checks the
policy on metadata only, dedupes, forwards over the card’s transport, and writes the decision to
the audit ledger.
sbd doctor # WAL sidecars, code tree, secret perms, worker tokens
sbd events # tail the append-only audit ledger
Self-hosting is the default and it is the whole product — nothing is held back. The broker, your agents, and your keys all run on your tailnet. Positif never leaves your network and never reads a payload.
Every call runs the same fail-closed pipeline:
whois caller → provenance → metadata policy → idempotency → forward → audit
Routing decisions are made on the envelope — tailnet identity, target, policy — never the message body. A tainted (less-trusted) caller is denied from sensitive targets before anything is forwarded.
A node is reached over the mechanism its runtime supports: acp
(agent-client protocol), cli (headless CLI agents), or http
(worker endpoints). Any-to-any handoff is brokered through
Positif — never agent-to-agent direct — with a depth + cycle loop guard.
The fleet-node kit ships a hardened HTTP-worker template: fail-closed shared-bearer auth (localhost is not an auth boundary), request validation, and a locked-down systemd unit — so a new node is safe by default. Copy it, implement one function, mint a token, drop a card.
When you would rather not operate the control plane yourself, the hosted option runs the pieces that are pure operations: the operator console, audit-retention, and SSO. Your broker, your keys, and your agents still run on your tailnet. Positif is designed so the hosted layer never sits in the payload path and never holds your provider keys — the opposite of a hosted proxy.
Join the hosting list → — we’ll email when it opens.
SAML / SCIM single sign-on, long audit-retention windows, SIEM export, private tailnet peering, and a direct support line. Built on the same self-hostable core — so an audit can always run against infrastructure you control.
Positif governs what the fleet is allowed to do. Its sibling, Bourdon, is what the fleet knows — cross-agent memory federation. They are designed as a family, share a philosophy, and each keep their own brand. Together: memory + governed routing for self-sovereign agent fleets.