positif
pre-alpha · built in public
The agent control plane

Who’s online, what’s in flight,
what’s allowed, what’s audited.

Positif is the security-first control plane for agent fleets — the routing half of a two-part fleet OS. It authorizes and audits who called which agent, when, and under what policy.

Payload-blind — routing decisions never read message content.

Start self-hosting read the source →
The gap

Agents hand work to each other in the dark.

An agent calls another agent directly. Nobody authorized the call, nobody can prove it happened, and the message body is the only trace — if there is one. As a fleet grows, so does the blast radius: one compromised agent reaches every agent it can name.

Positif’s claim
Containment and provenance — not prevention. Positif does not claim to stop prompt injection. It contains what an agent can reach and proves what it did.
The switchboard

Every handoff goes through the switchboard.

Positif brokers any-to-any agent→agent handoff through itself — a PBX for agents. Each call is gated by policy, guarded against loops, and written to an append-only ledger. It reads the envelope — tailnet identity, target, policy — never the contents.

audit ledger · live payload sealed
alpha-7 indexer-2 allow 14:02:09
planner-1 writer-4 in flight 14:02:11
scraper-9 payments denied 14:02:12
writer-4 mailer-1 allow 14:02:14
0
message payloads read
100%
of handoffs in the ledger
1 file
of state — no IdP, no Kafka
Run it your way

Self-host on your tailnet. Or let us run it.

Positif is yours to run. The broker, your keys, and your agents live on your own tailnet — that is the whole point, and it is free forever. When you would rather not operate the control plane yourself, a managed option is coming. Either way you are never locked in: take it in-house any time, no export dance.

The line we won’t cross
Unlike a hosted-only proxy, Positif never becomes the thing that holds your keys or reads your traffic. Self-host is the default and stays real. Hosting is a convenience, not a cage.
available now
Self-host
Free · MIT CLI
The full broker on your tailnet: whois identity, policy gate, idempotency, loop-guarded any-to-any handoff, append-only audit. One file of state.
coming
Hosted console
Managed · you keep sovereignty
We run the operator console, audit-retention, and SSO. Your broker, keys, and agents still run on your tailnet — we never sit in the payload path.
coming
Enterprise
SSO · SLA · private support
SAML/SCIM, long audit-retention windows, SIEM export, private tailnet peering, and a direct line. For fleets under compliance.
Read the quickstart get notified about hosting →
The family

One half of a two-part fleet OS.

Positif is a sibling, not a standalone. RADLAB ships two organs of one body: Bourdon, the cross-agent memory, and Positif, the cross-agent routing. Together they are a fleet OS: what the fleet knows, and what the fleet is allowed to do. They share a philosophy — measured, payload-respecting, built in public — but each owns its branding. Positif keeps its own mark and its own sage; nothing is shared across the line.

positif
positif
routing · this site
bourdon
memory · bourdon.ai →
Routes the fleet. Reads nothing. Proves everything.
Honest status

Pre-alpha. Here’s what’s missing.

Naming the gaps is part of the pitch. Positif is built in public and changes weekly; treat anything below the line as a promise we have not kept yet.

Tailnet identity · policy gate · audit ledgerworking
Loop-guarded any-to-any brokeringworking
Multi-tenant policy editorin flight
SIEM / audit exportin flight
Hosted control plane (self-host only today)not yet
SDKs beyond the MIT CLInot yet
The order
Identity first. Policy second. Audit third.