Bosun

Nautilus governs what agents know — data access, classification, clearance envelopes. But knowing the right data and doing the right thing are separate problems. An agent with valid clearance for a dataset can still take an unauthorized action with that data: escalate to the wrong team, call an external API it should not touch, or hand off context to an agent that is not cleared to receive it. Bosun closes that gap. It sits at the action boundary the same way Nautilus sits at the data boundary.

The core mechanism is context declaration. Before an agent takes any action, it declares the provenance of the context it is acting on — “I am escalating based on output from Agent A’s session 47.” That declaration gets logged as an audit trail. Bosun does not verify provenance in real time (that would require it to broker all inter-agent data, which is Nautilus’s job). Instead, it records the claim. Nautilus can retroactively correlate: was Agent B actually authorized to see Agent A’s session 47 output? If not, the attestation chain is broken, and the action is flagged. This catches lateral movement patterns that neither system would detect alone.

Policy evaluation runs on the same Fathom engine that powers Nautilus. Sub-millisecond decisions, CLIPS-based deterministic rules, Ed25519-signed attestations for every authorized action. No probabilistic filtering, no LLM-in-the-loop policy decisions. A deny is a deny. The rules are auditable, the decisions are reproducible, and the attestations are cryptographically verifiable after the fact.

Bosun is currently in design phase. It is being developed alongside Fathom and Nautilus as the action governance layer of the stack. The architecture is specced, the Fathom integration points are defined, and the context declaration protocol is drafted. Active development begins once Nautilus v0.3 stabilizes the data broker interfaces that Bosun depends on.