Machinaut
Join waitlist

Agentic Security

·Built on Lodestar OSSIn development · pre-launch

Your team governs your agent fleet.

Approve, audit, and prove what your AI agents actually do. Machinaut is the hosted, multi-tenant trust layer on top of Lodestar OSS — not another observability dashboard.

Lodestar OSS already lets you see one agent's reasoning chain, locally. Machinaut is how a team governs a fleet: multi-tenant, actionable, shareable.

See the architectureHow the loop works

It's early — Machinaut is in active development on Lodestar v0.4.0, and nothing is generally available yet. Every capability carries an honest status — see the roadmap.

the loopIllustrative

$ lodestar ship sess_8f21c4

✓ shipped 142 envelopes → machinaut.cloud

hold openedL4 · push to main

approver opens why-chainobservations → beliefs → decision

signed decisionverified customer-side

action proceeds

The category

A trust layer, not a dashboard.

Machinaut is Agentic Security: governing what an agent does and proving why — the epistemic chain from observation to decision. That is a different job from the tools it's often confused with.

Not "see your agent's chain"

Lodestar OSS already renders one operator's reasoning chain, locally and read-only. We don't resell that.

Not observability

Langfuse, LangSmith, and Phoenix watch tokens and traces. Machinaut governs what an agent does — and proves why.

Not model-boundary security

Jailbreak and prompt-injection defense guard the model input. Machinaut guards the agent's actions and the epistemic chain behind them.

“Your team governs your agent fleet: approve, audit, prove.”

Multi-tenantActionableShareable

The spine — non-negotiable invariant

Machinaut never hosts the agent runtime.

The write side and the approver keys stay in your environment. Machinaut cloud is the read-side and approval authority, fed by envelope ingest. A shared hosted runtime would fight Lodestar's process-local design — so we don't host the writer; we ingest copies of its output.

Customer environment

Data plane · OSS · you run this

  • Guard proxy → action-kernel → adapters
  • Event-log writer (NDJSON)
  • Approver keys (Ed25519)
  • Approval file side-channel
envelopes ship
signed decision

Machinaut cloud

Control plane · we run this

  • Ingest → tenant store → indexed search
  • projectChain · renderReport (read-only)
  • Explorer · approval relay · inbox
  • Governance · fleet · retention

A cloud compromise cannot forge approvals. Verification happens customer-side, after transport — the channel is pure transport, and the forgery boundary never moves into the cloud.

Open-core boundary

We don't claim open source as our own.

Lodestar OSS ships a lot for free. Machinaut's value is hosting, multi-tenancy, ingestion, indexed search, the approval write-path, and fleet governance — never the things the OSS already does locally.

Lodestar OSS already ships

OSS

Free, local, single-operator. We never rebuild or rebrand these.

  • Single-operator Governing UI: chain explorer, report, raw events, read-only pending-approvals, SSE tail
  • Sensitivity-ceiling redaction; tamper-evident payload hashing
  • Policy Kernel: 3-valued gate, trust-ladder, Ed25519 signed approvals
  • Postgres firewall backends; OTel export; calibration math (ECE / Brier)

Machinaut owns

Machinaut

Genuinely needs a hosted, multi-tenant product.

  • Identity / org / tenant model + SSO & RBAC
  • Ingestion — getting local NDJSON logs off the box and into a tenant store
  • Indexed search across sessions (the viewer brute-scans; dead at scale)
  • The approval write-path as a product; cross-session fleet & governance views

The wedge, one line: multi-tenant, multi-user, actionable, shareable — versus OSS's single-operator, loopback, read-only, local.

The magic moment

One loop: hold → ship → approve → prove.

The free tier is the whole loop, for a solo user — and the solo workflow is never gated. Here's the path an action takes.

  1. 01

    A high-risk action holds

    Your guarded proxy hits an L4 action — say, a push to main — and the policy kernel opens a hold. The decision stays in your environment.

  2. 02

    announce notifies

    A best-effort, ceiling-gated push tells the approver a hold is open. It can never change the outcome — only its visibility.

  3. 03

    The session ships

    lodestar ship sends a copy of the session's envelopes to Machinaut — or it's already there from a prior ship. No live tail; freshness is cheap re-ship.

  4. 04

    The approver reads the why

    In the hosted explorer they open the chain: observations → beliefs → decision. The full evidence trail, not just the action.

  5. 05

    A signed decision returns

    Approve or Deny is Ed25519-signed and fetched back down — then verified customer-side against operator-pinned keys. Machinaut is pure transport.

  6. 06

    The action proceeds

    The verified grant releases the hold and the action runs. A held push-to-main, approved from a phone — and the cloud could never have forged it.

Security & trust model

The forgery boundary does not move.

Approvals are Ed25519-signed and verified customer-side, after transport, against operator-pinned keys. A malicious or compromised endpoint can only delay an approval — and a delay resolves to deny. It cannot mint, upgrade, replay, or revive a grant.

Enterprise

Customer-held keys

Machinaut is pure transport and cannot forge, period. A security story no observability vendor can tell.

Free / Pro

Machinaut-managed keys

Convenience: Machinaut signs on the operator's behalf. Honest trade-off — a cloud compromise can sign for that tenant.

The two tiers differ in exactly one thing: who holds the signing key. The channel credential never reaches the event log, and the endpoint is operator-pinned config — never discovered from agent or log content.

Roadmap

Built in the open about what's built.

The launchable free tier is P0 + P0.5 together. Status reflects reality, not ambition.

Full roadmap
In development
P0

Ingest + Explorer + Share

Hosted, multi-tenant explorer over shipped sessions, with shareable chain-report links. The OSS shipper (ADR-0014) landed in v0.4.0; ingest + explorer are scaffolded.

In development
P0.5

Approval Inbox + Calibration

The differentiator: calibration charts and sentinel alerting are built; the live approval inbox awaits the OSS approval channel (ADR-0015).

Planned
P1+

Team governance & beyond

SSO/RBAC, org & policy management, fleet views, then memory-firewall console, registry, and enterprise parity.

Govern your fleet before it governs you.

Machinaut is in active development. Join the waitlist to follow along — and run the whole loop yourself today with Lodestar OSS.

Join the waitlistExplore Lodestar OSS

Self-host is unlimited and free, forever. Cloud free tier covers the solo loop.