Skip to main content
RavenFabric
v0.3.0 · Alpha · AGPLv3 + Commercial

One fabric for transport, policy, and execution.

RavenFabric is a security-first distributed execution engine and AI agent security layer. End-to-end encrypted, network-agnostic, policy-driven. The safety infrastructure between AI agents and the systems they operate on — and between human operators and their entire fleet. Same cryptographic identity. Same policy. Same audit trail.

Download Latest Release See examples
Version Language License Latest Release
Crypto
Noise XX
Language
Rust 1.88+
Memory
< 10 MB idle
Trust model
Zero. Always.
Try it today

Running in 60 seconds.

quickstart
# Install
$ curl -sSL https://ravenfabric.io/install.sh | sh

# Start local relay + agent (dev mode, no config needed)
$ rf dev
✓ Local relay running on ws://[::1]:9090
✓ Agent "local" connected, policy: allow-all (dev)

# Execute a command — E2E encrypted, policy-checked, audited
$ rf exec local "echo hello from RavenFabric"
hello from RavenFabric

# See what gets denied
$ rf exec local "rm -rf /"
✗ DENIED — matches immutable deny rule: .*rm.*-rf.*/

rf dev runs a full relay + agent in one process with no authentication required. Production deployment uses mutual Noise XX authentication, OTP enrollment, and YAML policy files. Full setup guide →

Why

One binary. One policy. One trust root.

Today's infrastructure requires a dozen tools bolted together: a VPN for network access, SSH for shells, Ansible for execution, Prometheus for metrics, ZTNA for access control. Each has its own auth model, its own attack surface, its own failure mode.

The problem is fragmentation

Five different authentication systems. Five different audit logs. Five different teams maintaining five different tools — each a potential breach point.

The fix is convergence

One cryptographic identity. One policy engine. One audit stream. One static binary that deploys everywhere from data centers to Raspberry Pis.

Why now (2026)

NIS2 mandates zero-trust. Subsea cable sabotage demands transport diversity. Monoculture VPNs are single points of failure. Air-gap is no longer edge-case.

What it is

Not a task runner with security added.
A security-first policy engine that also executes.

Other tools start with powerful execution and bolt on access controls. RavenFabric inverts the model — policy is the entry point, execution happens within its bounds, and the agent on the target is the final authority. A compromised orchestrator cannot override agent policy.

01

Network-agnostic

One driver trait, many transports — WireGuard, QUIC, WebSocket, Tor, Reticulum, serial. Works through corporate proxies, NAT, and air-gaps. Cross-protocol upgrade in the background.

02

End-to-end encrypted

Noise XX everywhere — same cryptographic core as WireGuard. Mutual auth, forward secrecy, no PKI required. The relay sees only ciphertext.

03

Policy-driven

Deny-by-default. Command-level allow/deny patterns. Immutable rules even admins cannot override. Double policy check — controller pre-flight and agent local.

04

Full execution spectrum

VPN tunnel · port-forward · interactive shell · fire-and-forget · ordered tasks · multi-agent playbooks · declarative desired state with continuous drift detection.

05

Built-in data collection

Metrics, logs, traces, health probes — same encrypted channel, same policy, same audit. No separate Telegraf or Fluent Bit agent to deploy and secure.

06

Audit everything

Every decision — allowed or denied — written to structured JSON. Session recording for shell. Replay-grade traceability for compliance.

Architecture

Seven layers. One binary.

Every layer is a separate crate — testable, replaceable, auditable independently. Policy and audit sit beside execution, not bolted on after the fact. 13 crates, ~53,700 lines of Rust, 1,094 tests.

RavenFabric 7-layer architecture diagram showing crypto, transport, RPC, audit, policy, executor, and application layers
What it replaces

Eight categories of tooling collapsed into one binary.

Modern infrastructure is held together by a brittle seam between network overlays, ZTNA gateways, configuration management, and observability agents. Each layer brings its own identity model, policy language, and failure modes. RavenFabric collapses that seam.

Category Products replaced
Mesh VPN Tailscale · Headscale · NetBird · ZeroTier · SoftEther
ZTNA / Access proxy Twingate · Pomerium · Cloudflare Access · Zscaler Private Access
Remote execution Ansible · Salt · Puppet Bolt
Config management Salt states · Puppet manifests · Chef recipes
Secure shell SSH + bastion · Teleport · Boundary
Port forwarding ssh -L/-R/-D · ngrok · frp
File transfer scp · rsync over SSH
Data collection Telegraf · Metricbeat · OpenTelemetry Collector · Fluent Bit · node_exporter
Comparison

How RavenFabric compares to existing tools

Capability RavenFabric Tailscale + Ansible SSH + bastion
E2E encryptionNoise XX (no TLS, no certs)WireGuard + SSH keysSSH only
Policy engineBuilt-in, deny-by-defaultSeparate (Ansible vault/roles)None (shell access = full access)
Audit trailStructured JSON, every actionAnsible logs + Tailscale adminShell history (easily deleted)
Air-gap supportFirst-class (DTN, USB, radio)NoneManual sneakernet
Transport diversityWS, QUIC, WireGuard, LoRa, TorWireGuard onlyTCP only
Agent binarySingle static <15 MBTailscale + Python + AnsibleOpenSSH
Mobile / IoTAndroid, iOS, RPi, ESP32Tailscale (mobile) + no AnsibleLimited
Relay trustZero (content-blind)Coordination server sees metadataBastion sees all traffic
Use Cases

Built for everyone who manages machines.

Platform Engineer

Replace your Ansible playbooks, Tailscale mesh, and monitoring stack with a single binary. Ship one artifact, authenticate once, control everything.

Homelab Enthusiast

Run one agent on each Raspberry Pi, NAS, and VM. Reach any device from anywhere — no port forwarding, no dynamic DNS, no VPN config files to maintain.

Security Team

Deny-by-default policy on every node. Every command audit-logged. No shell access without policy approval. Mutual authentication on every connection — no trust anchored to network position.

IoT / Edge Fleet

Static 5 MB binary runs on constrained ARM devices. Store-and-forward delivery for intermittent connectivity. Automatic transport migration when paths degrade.

SRE / Incident Responder

Concurrent command execution across hundreds of nodes. Background jobs with ID tracking. Stream stdout in real time. No SSH key sprawl to manage during an outage.

Developer

One rf exec command from your laptop to any environment. Instant feedback, no bastion hop, no VPN toggle. Completions for your shell included.

AI Agent Security Layer

The safety infrastructure between AI agents and your systems.

AI agents — Claude, GPT, Cursor, autonomous coding agents, operational AI — need real access to real systems. But they hallucinate commands, fall for prompt injection, and operate at machine speed when things go wrong. RavenFabric is the policy-enforced execution gateway that makes AI agent access safe, auditable, and revocable.

01

Local and remote, same controls

Whether the AI agent runs on your laptop (Claude Code, Cursor, Aider) or reaches remote infrastructure — the same Noise XX authentication, the same policy engine, the same audit trail applies. Local does not mean trusted.

02

MCP-native integration

Model Context Protocol server (rf-mcp-server) exposes RavenFabric as tools to any MCP-compatible AI agent. Stdio transport for Claude Desktop/Code; HTTP+SSE for multi-user deployments. Drop-in setup, no code changes.

03

Command-level deny-by-default

Every command the AI agent attempts is checked against policy before execution. Dangerous patterns (rm -rf, credential access, network exfiltration) are blocked regardless of how the agent phrases them. The agent cannot override, work around, or modify its own policy.

04

Human-in-loop approval workflows

Sensitive operations require explicit human approval before execution. The agent requests, the human decides. Approval routing via terminal prompt, Slack, or email. Timeout-enforced — no silent waiting forever.

05

Per-session cryptographic identity

Each AI agent session gets a short-lived Curve25519 identity. Sessions expire, cannot be reused, and are independently revocable. No long-lived credentials for an AI agent to leak or misuse.

06

Replay-grade audit with reasoning

Every action logged with the agent's stated reasoning (--reason). Reconstruct exactly what the agent did, why it thought it should, what was denied, and what was approved. Compliance-ready for EU AI Act traceability.

Behavioral anomaly detection

Tracks velocity, novelty, timing, and escalation patterns per session. Detects when an AI agent's behavior deviates from baseline — sudden bursts, new command categories, privilege escalation attempts. Alerts routed via webhook in real-time.

RBAC per caller

Different AI agents get different policies. Map tokens to policy profiles — CI agents get deploy commands, coding agents get file access, monitoring agents get read-only. Least privilege enforced per identity, not per server.

Prompt injection containment

When adversarial instructions hidden in documents or data manipulate the AI agent, RavenFabric's policy prevents those instructions from causing damage. The policy is outside the agent's context — it cannot be jailbroken.

Token rotation & revocation

Zero-downtime token rotation via comma-separated fallback or file-based hot-reload. Revoke a compromised token instantly — all sessions using it are terminated. No grace period for attackers.

Skill-file distribution

Teach any AI agent how to use RavenFabric with a single skill file. Compatible with Claude, Claude Code, Cursor, Aider, and any runtime supporting prompt augmentation. The agent learns rf exec, respects denials, and reports limitations honestly.

No existing competitor

Tailscale, Teleport, Boundary — all human-operator focused. No product today positions specifically as the security layer between AI agents and systems. RavenFabric fills this gap with production-grade cryptography and policy enforcement already built.

Full AI agent architecture: AI Agent Access Use Case · MCP Server Reference · Agent Skill Reference

FAQ

Frequently asked questions

Why not just use Tailscale + Ansible?

That combination works but requires two trust domains, two auth systems, and gives no end-to-end encryption between orchestrator and agent. The relay/coordination server sees metadata. Ansible has no real-time streaming, no built-in policy engine, and requires Python on targets.

Why Rust?

Memory safety without garbage collection. Single static binary (no runtime deps). Fearless concurrency for async I/O. Compiles to every target from x86 to RISC-V to WASM. Sub-10 MB binaries.

Why AGPLv3?

Prevents silent forks as managed services without contributing back. Commercial dual-license available for enterprises that need proprietary integration. AGPLv3 ensures the community always has access.

Is it production-ready?

Not yet. v0.1 is feature-complete alpha — the architecture is proven, security model sound, transport diversity implemented (WebSocket, QUIC, WireGuard, DNS tunnel, serial), fuzz-tested, and CI-verified across 8 targets. Stabilization and API finalization remain before a production label.

Who is this for?

Security-conscious infrastructure teams. Public sector architects needing NIS2 compliance. MSPs managing diverse fleets. Anyone running systems in hostile, air-gapped, or low-connectivity environments.

Can I access the source code?

Source code access is available under commercial license or for qualified partners under NDA. Public open-source release is planned following commercial model finalization. Reach out via the contact details in security.txt.

Compliance

Security you can prove.

RavenFabric's architecture maps directly to major security frameworks. Every control is documented, every claim is backed by code.

NIST SP 800-207

Full Zero Trust Architecture alignment. Policy Engine, Policy Administrator, and Policy Enforcement Point map directly to rf-policy, rf-agent, and rf-executor.

EU NIS2 Directive

All 10 measures under Article 21(2) addressed. Cryptographic policies, incident detection, access control, supply chain security, and business continuity.

NSM Grunnprinsipper

Norwegian National Security Authority basic principles. Full coverage across Identify, Protect, Detect, and Respond categories.

OWASP ASVS Level 2

91% pass rate across 58 applicable verification requirements. Authentication, cryptography, data protection, and access control fully satisfied.

MITRE ATT&CK

44 enterprise techniques mapped. 80% mitigated or detected. Cryptographic identity eliminates entire credential attack categories.

CIS Controls v8.1

51 safeguards evaluated at Implementation Group 2. 80% full pass, 92% pass including partial coverage. Focused on data protection, access, audit, and network defense.

Full compliance documentation: ravenfabric.io/docs/compliance/

Examples

Same fabric. Same policy. Many shapes.

Every interaction goes through the same policy engine and audit trail — whether it's an interactive shell, a one-shot command, or a declarative reconciliation across hundreds of agents.

enroll & execute
# Generate one-time enrollment token
$ rf token generate --agent prod-1 --ttl 1h
→ rf-otp-a3f9b2c1d4e5f6...

# Agent enrolls, generates keypair locally
$ rf-agent --enroll rf-otp-a3f9...
 Identity registered. Bootstrap closed.

# Run a policy-checked command, E2E encrypted
$ rf exec prod-1 "systemctl status nginx"
● nginx.service - high performance web server
   Active: active (running)
  audited · 105ms · noise-xx · wireguard-direct
enrollment via OTP → cached identity → encrypted exec
deny-by-default
# Even an admin cannot run unsanctioned commands
$ rf exec prod-1 "rm -rf /etc"
✗ DENIED by RPCPolicy
  rule: commands.deny[2] - "^rm.*-rf"
  decision: rejected before execution
  audit: written to /var/log/ravenfabric/audit.jsonl

# Immutable rules cannot be overridden
$ rf exec prod-1 "chmod 777 /etc/ssh/sshd_config"
✗ DENIED by SecurityPolicy.immutable
  rule: neverAllowFileModify
  this rule cannot be relaxed by tenant policy
policy enforced before execution, both sides
desired-state.yaml
apiVersion: ravenfabric.io/v1alpha1
kind: DesiredState
metadata:
  name: web-baseline
spec:
  targets:
    selector: { labels: { role: web } }
  state:
    packages:
      - { name: nginx, state: installed }
      - { name: telnet, state: absent }
    services:
      - { name: nginx, state: running, enabled: true }
  convergence:
    mode: remediate
    intervalSeconds: 300
declarative convergence + continuous drift detection
transport-agnostic
# Connection probes all transports in parallel
$ rf connect prod-1 --strategy race
[probe] wireguard-direct (ipv6)..  ✓ 12ms
[probe] quic-direct...............✓ 18ms
[probe] websocket-relay..........  ✓ 47ms
[probe] reticulum-mesh..........   ⋯ skipped

 Selected: wireguard-direct (ipv6)
  fallbacks held warm: quic, ws-relay
  upgrade scan: every 30s
  noise-xx handshake: complete
any network — direct, NAT-traversed, relayed, or air-gap
enroll & execute
# Generate one-time enrollment token
$ rf token generate --agent prod-1 --ttl 1h
→ rf-otp-a3f9b2c1d4e5f6...

# Agent enrolls, generates keypair locally
$ rf-agent --enroll rf-otp-a3f9...
 Identity registered. Bootstrap closed.

# Run a policy-checked command, E2E encrypted
$ rf exec prod-1 "systemctl status nginx"
● nginx.service - high performance web server
   Active: active (running)
  audited · 105ms · noise-xx · wireguard-direct
enrollment via OTP → cached identity → encrypted exec
deny-by-default
# Even an admin cannot run unsanctioned commands
$ rf exec prod-1 "rm -rf /etc"
✗ DENIED by RPCPolicy
  rule: commands.deny[2] - "^rm.*-rf"
  decision: rejected before execution
  audit: written to /var/log/ravenfabric/audit.jsonl

# Immutable rules cannot be overridden
$ rf exec prod-1 "chmod 777 /etc/ssh/sshd_config"
✗ DENIED by SecurityPolicy.immutable
  rule: neverAllowFileModify
  this rule cannot be relaxed by tenant policy
policy enforced before execution, both sides
desired-state.yaml
apiVersion: ravenfabric.io/v1alpha1
kind: DesiredState
metadata:
  name: web-baseline
spec:
  targets:
    selector: { labels: { role: web } }
  state:
    packages:
      - { name: nginx, state: installed }
      - { name: telnet, state: absent }
    services:
      - { name: nginx, state: running, enabled: true }
  convergence:
    mode: remediate
    intervalSeconds: 300
declarative convergence + continuous drift detection
transport-agnostic
# Connection probes all transports in parallel
$ rf connect prod-1 --strategy race
[probe] wireguard-direct (ipv6)..  ✓ 12ms
[probe] quic-direct...............✓ 18ms
[probe] websocket-relay..........  ✓ 47ms
[probe] reticulum-mesh..........   ⋯ skipped

 Selected: wireguard-direct (ipv6)
  fallbacks held warm: quic, ws-relay
  upgrade scan: every 30s
  noise-xx handshake: complete
any network — direct, NAT-traversed, relayed, or air-gap

See all use cases →

Status — Latest release: v0.3.0

Building in the open. Roadmap is public.

  • Done Crypto layer — Noise XX, key management, secure channel v0.3.0
  • Done Policy engine — RPCPolicy, deny-by-default, immutable rules v0.3.0
  • Done Audit logging — structured JSON-lines, replay-grade v0.3.0
  • Done Bootstrap — OTP enrollment, single-use tokens v0.3.0
  • Done RPC layer — msgpack codec, request/response types v0.3.0
  • Done WebSocket transport, relay broker, rate limiting, HMAC auth v0.3.0
  • Done Agent + CLI — exec, status, dev mode, shell completions v0.3.0
  • Done QUIC + WireGuard direct + STUN hole-punching v0.3.0
  • Done Interactive shell, port-forwarding, playbooks v0.3.0
  • Done Full mesh VPN, MagicDNS, sealed secrets v0.3.0
  • Done Reticulum, Tor, serial drivers — air-gap support v0.3.0
Threat Model

What the architecture guarantees

Relay is content-blind

The relay broker forwards encrypted bytes. It never holds key material, never decrypts payloads, and cannot read commands or responses. Compromise the relay? The attacker sees ciphertext.

Agent compromise is bounded

Even with root on an agent, the attacker is limited to what that agent's policy allows. No lateral movement — each agent has its own key, policy, and audit trail. Revoke the key and the agent is dead.

Controller is constrained

A compromised controller can only issue commands already permitted by each agent's local policy. The policy engine is deny-by-default and evaluated locally — the controller cannot override it.

Immutable security invariants

Some rules are non-negotiable: no command without policy check, no connection without handshake, audit log is append-only, keys are zeroed on drop. These cannot be disabled by configuration.

Network adversary model

An attacker on the wire sees: Noise XX handshake (no identifying info), encrypted frames with 16-byte MACs, and relay-forwarded ciphertext. No metadata leaks, no cleartext, no session cookies.

Audit is tamper-evident

Every action (allowed or denied) produces a structured audit entry. The log is append-only with timestamps, caller keys, and matched rules. Deletion or modification is detectable.

Built by

RavenFabric is invented by Erling Kristiansen, a security-focused systems engineer based in Norway. The project exists because secure remote execution shouldn't require stitching together five different tools — and because air-gapped networks deserve first-class support, not afterthoughts.

Open source under AGPLv3. Commercial licensing available for enterprise use.

Stay updated

Low-volume updates on releases, security advisories, and roadmap milestones. No spam.

Powered by Buttondown. Unsubscribe anytime.