Technology

Five systems. One control plane.

RBAC. Audit. MCP multiplexer. Memory. Reconciler. Each one is production-grade. Together they form the governance layer that sits above any agent runtime.

01
Identity & access

Directory-grade RBAC.

Agents, humans, and services share the same identity model: organizational units, security groups, and role bindings. Deny-override inheritance means a deny at any level wins over any allow below it. Deterministic. Auditable. Familiar.

  • 5 built-in roles — OrgAdmin, OUAdmin, AgentAuthor, DeploymentOperator, Viewer
  • Custom roles — scoped to OU or org, with fine-grained permission sets
  • Group membership — agents and humans assigned to groups, groups bound to roles
  • Deny precedence — deny bindings override allow at the same or lower scope
  • Last-admin protection — prevents accidental lockout of the final OrgAdmin
rbac evaluation
principal  usr.raj
action     agent.invoke
resource   agent:pg-writer
scope      /acme/engineering/platform

bindings:
  allow  eng-leads → OUAdmin     (platform)
  allow  usr.raj → AgentAuthor   (platform)
  deny   contractors → *         (acme)

resolution: allow
reason:     usr.raj ∈ eng-leads
            no deny binding matches
02
Compliance

Cryptographic audit chain.

Every agent turn, tool call, policy decision, and memory operation lands in an append-only, SHA-256 hash-chained log. Each row's hash incorporates the previous row's hash. Modify any historical entry and every subsequent hash breaks.

  • Append-only — database trigger rejects updates and deletes
  • Canonical serialization — deterministic JSON representation for hash stability
  • Advisory locks — pg_advisory_xact_lock prevents concurrent chain corruption
  • Daily verification — worker recomputes the full chain for every org
  • SOC 2 ready — closes the audit trail control without a separate GRC tool
audit chain entry
{
  "seq":            4892,
  "event_type":     "tool.call",
  "actor":          "agent:pg-writer",
  "action":         "sql.explain",
  "decision":       "allow",
  "prev_hash":      "sha256:7a3f...b2e1",
  "hash":           "sha256:9c1d...f4a8",
  "timestamp":      "2026-04-22T14:22:08Z"
}
03
Tool authorization

MCP multiplexer.

Every tool call an agent makes passes through the MCP multiplexer. Per-template policy engines evaluate read/write restrictions, allowlists, row limits, and scope boundaries before any tool call executes. Shared infrastructure — no per-agent server instances.

  • 17 templates — Postgres, Slack, GitHub, Jira, Salesforce, Gmail, Zendesk, S3, and more
  • Per-call policy — every tool invocation is authorized before execution
  • FleetConfigCache — 10-second poll, shared across all agents in the org
  • Path & subdomain routing — multiple MCP deployments on shared infrastructure
  • Envelope encryption — AES-256-GCM for credentials, per-row random nonce
Postgres
Slack
GitHub
Jira
Salesforce
Gmail
Zendesk
S3
Confluence
Linear
Notion
BigQuery
Stripe
HubSpot
Datadog
PagerDuty
Custom
04
Intelligence

Biologically-inspired memory.

16 service modules. Hebbian associative learning, consolidation pipelines, 4-dimensional validation, injection defense, rot-aware context assembly. Every session makes every agent smarter. Governed by the same RBAC and audit chain as everything else.

  • Hebbian learning — co-retrieval strengthens associations with saturation brake
  • Kairos validation — 4-D gate: consistency, grounding, novelty, alignment
  • Context assembler — 7 sections, token budgets, rot-aware interleaving
  • Scope promotion— job → role → org with human review gates
  • Shadow eval — precision@k, recall@k, MRR, NDCG without affecting agents
memory pipeline
session.complete → consolidation
  events:       12 captured
  attribution:  3 chunks contributed
  patterns:     +1 extracted
  anti_patterns: 0

kairos_validation:
  consistency:  0.94
  grounding:    0.88
  novelty:      0.76
  alignment:    0.91
  verdict:      pass

hebbian_update:
  edges_strengthened: 2
  edges_decayed:      4
  new_hub_detected:   false
05
Operations

Declarative reconciler.

Every resource in Powerloom — agents, MCP deployments, role bindings, workflows — is a YAML manifest. The reconciler continuously syncs declared state to live state. Drift detection alerts when the live state diverges. Plan/apply/diff.

  • Atomic apply — all resources in a manifest are provisioned as a unit
  • Drift detection — reconciler detects and optionally reverts live-state divergence
  • CI/CD nativeweave apply runs in GitHub Actions, GitLab CI, or any pipeline
  • Multi-runtime — 10+ provider drivers behind a unified reconciler interface
  • Rollback — revert to any previous declared state via manifest version
$ weave apply -f agents/
planning changes against ou=platform …

+ agent          pg-writer
                  model=claude-sonnet-4-6
+ mcp-binding    pg-analytics → pg-writer
~ role-binding   contractors ✗ AgentAuthor
                  (effect: allow → deny)
+ approval       billing-review
                  (gate: tag=billing)

4 changes · 0 warnings
 applied in 1.4s · run apl_9f2ac4
Start governing

Built for production.

38 versioned builds. 760+ tests. Deployed on AWS. The architecture is real and the governance is rigorous.

Request access →Deep dive: Memory