§ control plane for agent fleets

Agent governance.Remarkably simple.

Users, agents, policy, MCP. Four streams — one loom. powerloom weaves your fleet into a governed fabric with hash-chained audit on every pass.

Request access →See how it works

deployed on aws · hash-chained audit · multi-runtimev 0 5 2

governance tapestry · declared once · applied everywhere · hash-chained

§ 01 · the governance gap

Every AI governance tool lives inside one chat window. Your fleet doesn't.

When one team has seven agents and legal has its own quiet three, the question stops being “is the agent behaving” and starts being “who is allowed to deploy an agent here, against which data, with whose credentials, and where is the record.” That is an operations problem.

Today · the prototype era

Governance lives in a sidebar.

One IDE. One chat surface. One prompt interface. Fine for a prototype. Insufficient when the legal team has its own quiet three agents and nobody can list them.

→ blast radius: unknown

powerloom · the fleet era

Governance is the control plane.

Directory-shaped OUs. Role bindings with deny precedence. Hash-chained audit. The shapes your admin team already knows how to reason about — applied to agents.

→ blast radius: scoped by policy

§ 02 · how it works

Three steps. Declare → plan → apply.

Describe your org as YAML manifests. Plan the diff against live state. Apply with a single command. Every change lands in the hash-chained audit log. Runs in GitHub Actions, GitLab CI, or any pipeline.

declare

Write the manifest.

YAML. Multi-document. Version-controlled. One file per resource or one per fleet. Same manifest shape IT already knows from Terraform and Kubernetes.

apiVersion: powerloom/v1 kind: RoleBinding metadata: principal_ref: group:/acme/eng-leads role: OUAdmin scope_ou_path: /acme/engineering decision_type: allow

plan

Preview the diff.

weave plan reads your manifests, diffs each resource against live state, and prints exactly what will change. Create, update, noop — field by field. Nothing applied yet.

$ weave plan acme/ + ou acme/engineering/platform + role-binding eng-leads → OUAdmin ~ role-binding contractors → deny + agent pg-writer Plan: 4 create, 1 update, 0 destroy

apply

Apply — and the audit log seals.

weave apply reconciles in dependency order. Each resource applied independently. Every decision lands in the append-only, SHA-256 hash-chained log. Modify any historical row and every subsequent hash breaks.

$ weave apply acme/ --auto-approve ✓ ou acme/engineering/platform ✓ role-binding eng-leads → OUAdmin ✓ agent pg-writer ✓ mcp-deployment pg-analytics 4 applied, 0 failed · run apl_9f2ac4

§ 03 · agent memory

Every session makes every agent smarter.

16 service modules. Hebbian associative learning, consolidation during sleep, 4-D validation, injection-hardened. All governed by the same RBAC and audit chain as the rest of the platform.

Memory isn't a retrieval hack bolted on. It's architecture — designed from neuroscience, hardened for enterprise.

Service modules

231+

Tests passing

Kairos validation

Read the deep dive →

§ 04 · the platform

Eight things you shouldn't have to build. We built them.

Directory-shaped OUs.

Nest agents, groups, and MCP deployments. Inheritance flows down. The tree your admin team already operates.

Deny-first RBAC.

5 built-in roles, custom roles scoped to OU or org. Deny precedence. Last-admin protection. Simulator before enforcement.

Approval gates.

High-impact actions require a second approver. The approval is itself a first-class audit event.

Hash-chained audit.

Every tool call, every policy decision, SHA-256 linked. Modify one row and every subsequent hash breaks. SOC 2 ready.

MCP multiplexer.

17 templates — Postgres, Slack, GitHub, Jira, S3, more. Per-call policy evaluation before every tool invocation.

Declarative reconciler.

Everything is a YAML manifest. Plan, apply, diff. Drift detection. CI/CD native — runs in any pipeline.

Per-tenant isolation.

Your own VPC, your own KMS key, your own database. No shared compute. AWS, IaC via Terraform.

Biologically-inspired memory.

Hebbian learning. 4-D Kairos validation. Injection-hardened. Every session makes every agent smarter.

§ start governing

The plumbing is real.
The governance is rigorous.

41+ versioned builds. 760+ tests. Deployed on AWS. Invite-only beta.

Request access →Deep dive: technology