RavenFabric is a security-first distributed execution engine. End-to-end encrypted, network-agnostic, policy-driven. From full mesh VPN to fire-and-forget commands to declarative desired state — all within an airtight ZTNA policy layer.
Other tools start with powerful execution and bolt on access controls. RavenFabric inverts the model — policy is the entry point, execution happens within its bounds, and the agent on the target is the final authority. A compromised orchestrator cannot override agent policy.
One driver trait, many transports — WireGuard, QUIC, WebSocket, Tor, Reticulum, serial. Works through corporate proxies, NAT, and air-gaps. Cross-protocol upgrade in the background.
Noise XX everywhere — same cryptographic core as WireGuard. Mutual auth, forward secrecy, no PKI required. The relay sees only ciphertext.
Deny-by-default. Command-level allow/deny patterns. Immutable rules even admins cannot override. Double policy check — controller pre-flight and agent local.
VPN tunnel · port-forward · interactive shell · fire-and-forget · ordered tasks · multi-agent playbooks · declarative desired state with continuous drift detection.
Metrics, logs, traces, health probes — same encrypted channel, same policy, same audit. No separate Telegraf or Fluent Bit agent to deploy and secure.
Every decision — allowed or denied — written to structured JSON. Session recording for shell. Replay-grade traceability for compliance.
Modern infrastructure is held together by a brittle seam between network overlays, ZTNA gateways, configuration management, and observability agents. Each layer brings its own identity model, policy language, and failure modes. RavenFabric collapses that seam.
| Category | Products replaced |
|---|---|
| Mesh VPN | Tailscale · Headscale · NetBird · ZeroTier · SoftEther |
| ZTNA / Access proxy | Twingate · Pomerium · Cloudflare Access · Zscaler Private Access |
| Remote execution | Ansible · Salt · Puppet Bolt |
| Config management | Salt states · Puppet manifests · Chef recipes |
| Secure shell | SSH + bastion · Teleport · Boundary |
| Port forwarding | ssh -L/-R/-D · ngrok · frp |
| File transfer | scp · rsync over SSH |
| Data collection | Telegraf · Metricbeat · OpenTelemetry Collector · Fluent Bit · node_exporter |
Every interaction goes through the same policy engine and audit trail — whether it's an interactive shell, a one-shot command, or a declarative reconciliation across hundreds of agents.
# Generate one-time enrollment token $ rf token generate --agent prod-1 --ttl 1h → rf-otp-a3f9b2c1d4e5f6... # Agent enrolls, generates keypair locally $ rf-agent --enroll rf-otp-a3f9... ✓ Identity registered. Bootstrap closed. # Run a policy-checked command, E2E encrypted $ rf exec prod-1 "systemctl status nginx" ● nginx.service - high performance web server Active: active (running) audited · 105ms · noise-xx · wireguard-direct
# Even an admin cannot run unsanctioned commands $ rf exec prod-1 "rm -rf /etc" ✗ DENIED by RPCPolicy rule: commands.deny[2] - "^rm.*-rf" decision: rejected before execution audit: written to /var/log/ravenfabric/audit.jsonl # Immutable rules cannot be overridden $ rf exec prod-1 "chmod 777 /etc/ssh/sshd_config" ✗ DENIED by SecurityPolicy.immutable rule: neverAllowFileModify this rule cannot be relaxed by tenant policy
apiVersion: ravenfabric.io/v1alpha1 kind: DesiredState metadata: name: web-baseline spec: targets: selector: { labels: { role: web } } state: packages: - { name: nginx, state: installed } - { name: telnet, state: absent } services: - { name: nginx, state: running, enabled: true } convergence: mode: remediate intervalSeconds: 300
# Connection probes all transports in parallel $ rf connect prod-1 --strategy race [probe] wireguard-direct (ipv6).. ✓ 12ms [probe] quic-direct...............✓ 18ms [probe] websocket-relay.......... ✓ 47ms [probe] reticulum-mesh.......... ⋯ skipped ✓ Selected: wireguard-direct (ipv6) fallbacks held warm: quic, ws-relay upgrade scan: every 30s noise-xx handshake: complete