Why the existing meshes don’t fit
Istio, Linkerd, and Consul were designed for one shape of traffic: stateless HTTP request/response between microservices. The enforcement model is route-based — you define which service can call which endpoint, and the mesh proxies traffic accordingly. That model breaks down the moment the unit of work is not a request but an action.
Agent actions are richer than HTTP calls. A tool invocation carries intent, parameters, and context about what informed the decision to invoke it. An escalation transfers authority from one agent to another. A handoff passes an entire conversation with its accumulated state. None of these map cleanly to a route and a verb. The enforcement point for agent actions needs to understand what the agent is trying to do, not just where the packet is headed.
What Bosun models
The primitive in Bosun is the action authorization, not the request. When an agent attempts an action — calling a tool, escalating to a human, handing off to another agent — Bosun evaluates the action against its policy set before anything executes. Actions carry context declarations: structured provenance about what data informed the decision, which prior actions led here, and what session the action belongs to.
Context declarations are what make audit chains possible across agent fleets. When Agent B acts on the output of Agent A, the declaration on Agent B’s action references Agent A’s session and the specific data types that flowed between them. This is not logging after the fact — it is structured metadata attached at the point of authorization, before execution.
Policy at the boundary
Action governance happens outside the agent, and this is a deliberate architectural choice. An agent attempting an unauthorized escalation never executes the escalation. Bosun blocks it, logs the attempt with the full action context, and returns a denial that includes the specific rule that fired and why. The agent receives a structured rejection, not a timeout or a generic error.
This matters because agents should not be trusted to self-govern. An agent that enforces its own access rules is an agent where a prompt injection can disable enforcement. Moving the governance boundary outside the agent — into infrastructure the agent cannot modify — is the same principle as running a firewall on the network, not inside the application.
Where this is headed
Context declarations open a path to retroactive correlation with Nautilus, the data broker. If Agent B acts on data that originated in Agent A’s session, Bosun’s declaration on Agent B’s action contains enough provenance to let the system verify the full chain of custody: which data sources were accessed, through which sessions, under which policies, and whether the composite exposure across the chain was itself authorized.
That correlation layer is currently in design. The implementation will be built on Fathom’s CLIPS engine, where the chain-of-custody verification is expressed as pattern matching over accumulated facts from both Bosun’s action log and Nautilus’s session state. The goal is a single query: given this action, was every step in its provenance chain authorized under the policies that were active at the time?