platform live — pairun.dev

The enterprise platform
for AI agents

Deploy, secure, observe, and govern AI agents with the same operational guarantees production infrastructure demands.

Explore the platform View architecture
terminal pai v0.2.0
Platform Capabilities

Everything agents need
to run in production

Integrated capability planes purpose-built for the demands of agentic AI workloads — from lifecycle and auto-scaling to zero-trust security and full observability.

Lifecycle & Auto-scaling

Declarative agent specs, controller-driven reconciliation, and metric-driven autoscaling. Scale on token rate, JIRA backlog depth, or any HTTP endpoint — no HPA required.

Observability

Token consumption and tool calls logged per workload. Tamper-evident cryptographic audit chain queryable via the CLI. Budget enforcement with hard daily cutoffs per agent.

Security

Non-root execution, seccomp syscall filtering, Landlock filesystem confinement, and a cryptographic audit chain on every agent. AI-specific threat detection built in.

Identity Management

Every agent gets a cryptographic SPIFFE identity. Secrets injected at runtime, agents never hold credentials. Platform-brokered OAuth to third-party services.

LLM Gateway

A unified, OpenAI-compatible endpoint for all agents. Route across OpenRouter, Anthropic, OpenAI, and local models with fallback chains, cost limits, and semantic caching.

Service Bindings

Connect agents to Jira, GitHub, Slack, and more. Each binding carries its own access control policy. Agents get exactly the permissions they need, nothing more.

Deploy as Code

Every agent is a
declarative manifest

No scripts, no manual wiring. A single YAML declares the model, tools, security posture, identity, enterprise bindings, and resource budget — and the platform reconciles the rest.

modelBindings Pin to one or more models. Swap LLM providers without touching agent code.
providers Declare Jira and GitHub access. The platform brokers auth — the agent never holds credentials.
autoscaling Scale replicas automatically based on token rate, JIRA backlog depth, or any HTTP metric endpoint.
tokens.maxPerDay Hard budget cap enforced by the LLM Gateway. No runaway spend.
filesystem Kernel-level write restrictions via Landlock LSM. Protect config files and system paths from a compromised agent.
agent.yaml 
apiVersion: pai.io/v1
kind: AgentWorkload
metadata:
  name: research-agent
  namespace: team-a
spec:
  image: registry.internal/openclaw:v1.2.0
  modelBindings:
    - claude-sonnet-4-6              # pinned to specific Claude model
    - gemini-flash                   # fallback / secondary model
  providers:
    - jira-read-comment              # read issues, post comments — no admin
    - github-pr-writer               # create PRs, scoped to org/repo-a
  autoscaling:
    minReplicas: 1
    maxReplicas: 5
    metrics:
      - type: tokenRate
        targetValuePerReplica: 500   # add replica per 500 tok/min
      - type: http
        url: https://jira.co/rest/api/2/search?jql=status=Open
        jsonPath: total
        targetValuePerReplica: 10   # 1 agent per 10 open tickets
  tokens:
    maxPerDay: 50000               # hard budget cap
    maxPerRequest: 8192            # context window limit
  filesystem:
    readOnlyPaths: [/etc, /home/node/.config]  # Landlock write-deny
Security

Embedded at every layer

Four domains, zero gaps. From continuous risk assessment through runtime, identity, and data — including AI-specific threats no existing platform understands.

Continuous Risk Assessment

  • Live risk score per workload, updated in real time as new CVEs are published
  • Workloads exceeding configured risk thresholds are automatically blocked or flagged
  • SBOM generated at push time; the basis for all ongoing risk calculations
  • Embedded secret detection in image layers before admission
  • Image signing enforced via Cosign / Sigstore
  • Compliance posture mapped to SOC2, ISO 27001, NIST AI RMF

Runtime Protection

  • Kernel-level syscall filtering blocks dangerous operations platform-wide — no configuration required
  • Per-path filesystem confinement — declare which paths an agent can write to; the kernel enforces it
  • Every subprocess launched by an agent is recorded in a tamper-evident audit log
  • Root execution is rejected at deploy time, not discovered at runtime
  • No privilege escalation possible — enforced at the platform level, not by the agent
  • Agents can only reach services they have been explicitly granted access to — all other traffic is blocked

Identity & Access Management

  • Every agent gets a cryptographic SPIFFE workload identity — unique, short-lived, auto-rotated
  • Human operators authenticate via SSO (OIDC / SAML) with platform-scoped RBAC
  • Just-in-time access: elevated permissions granted for a bounded window, then revoked
  • Non-human identity governance: all machine credentials inventoried and lifecycle-managed
  • Federation with corporate IdP (Okta, Azure AD, Ping)
  • Admin-level actions require approval workflow and are fully logged

Data Protection

  • Encryption at rest (AES-256) with platform-managed or customer-managed keys (BYOK)
  • mTLS on all internal traffic; TLS 1.3 minimum for external communication
  • PII detection and configurable masking on agent inputs, outputs, and logs
  • Data classification labels (public to restricted) enforced through access policies
  • Data residency controls — workloads and data pinned to specific regions
  • Secrets rotation schedules, expiry, and automatic revocation on workload termination

Cryptographic Audit Chain & AI-Specific Threat Detection

  • Every agent action — LLM calls, tool calls, service requests, process launches, and policy denials — is written to a tamper-evident audit chain
  • Chain integrity can be verified at any time, even after the agent is gone
  • Access policies can be updated on running agents instantly, without a restart
  • Shadow mode: validate new policies against live traffic before switching to enforcement
  • Prompt injection detection on inbound tool results before feeding to the agent
  • Runaway token consumption is caught and cut off at the gateway before it becomes a cost incident
LLM Gateway

One endpoint. Every model.
Full control.

Agents target a ModelBinding, not a provider. The gateway handles routing, fallback, cost enforcement, and credential isolation.

AgentWorkload
OpenAI-compatible API
single endpoint
Pai LLM Gateway
AuthN/Z ModelPolicy Router Rate Limiter Semantic Cache Cost Tracking Telemetry
routed by ModelBinding
Anthropic
Gemini
OpenAI
OpenRouter
Why not call providers directly?

Credential isolation

API keys live in the platform secret store. Agents have zero knowledge of provider credentials.

Cost attribution

Token consumption tracked and budgeted per agent. Hard cutoffs prevent runaway spend before it hits your bill.

Audit trail

Every LLM call logged with model, tokens, latency, cost, and the agent identity that made it.

Smart fallback

Platform-aware failover chains. If quota is exceeded or a provider is down, route to the next option seamlessly.

Provider agnostic

Switch models or providers without touching agent code. Your agents target an abstraction — the platform handles the rest.

Service Bindings

Connect agents to
your enterprise tools

Every binding to an external system carries its own access control policy. Agents get exactly the permissions they need. Nothing more.

jira-read-comment
Jira · mycompany.atlassian.net
issues:read issues:comment projects:admin
github-pr-writer
GitHub · org/repo-a, org/repo-b
pulls:create issues:read admin:*
slack-post-only
Slack · #alerts, #deployments
messages:post channels:read users:list
pagerduty-trigger
PagerDuty · ops-team service
incidents:create schedules:*

Per-binding access control — a first-class primitive

Action-level policies

Each binding declares an explicit allow/deny list of actions. An agent can have read-only access to Jira and write access to GitHub simultaneously — no shared policy surface.

Credential isolation

API keys, OAuth tokens, and app credentials live in the platform secret store. The agent process never sees them. All requests are proxy-brokered using short-lived scoped tokens.

Scope restrictions

Go beyond action policies — restrict a GitHub binding to specific repositories, a Jira binding to specific projects, or a Slack binding to specific channels.

Full audit trail

Every API call through a binding is logged: calling agent identity, timestamp, action, target resource, and outcome. Compliant by default.

Instant revocation

Disable a binding platform-wide in one operation. All agents using it lose access immediately — no redeployment required.

Architecture

Built on Kubernetes.
Extended for agents.

Pai extends Kubernetes with AI-native CRDs and a control plane that understands agent semantics, not just containers.

Control Plane
Lifecycle Controller Autoscaler Loop LLM Gateway API Server Provider Policy Engine DNS + TLS Provisioner Audit Chain Store
reconciles & manages
Agent Pod
Agent Container Provider Proxy (sidecar) Exec Audit (LD_PRELOAD) Landlock LSM
Agent Pod
Agent Container Provider Proxy (sidecar) Exec Audit (LD_PRELOAD) Landlock LSM
Agent Pod
Agent Container Provider Proxy (sidecar) Exec Audit (LD_PRELOAD) Landlock LSM
Platform Primitives
Primitive Purpose K8s Analogy
AgentWorkload Declarative agent spec — image, models, providers, autoscaling, filesystem rules, token budget, inbound port Deployment
ModelBinding Which LLM an agent can use, with provider, model, daily token budget, and API key reference StorageClass
Provider Connection to an external service (GitHub, AWS, Jira, Slack…) with scoped action policy, HTTP rules, audit mode, and credential isolation ExternalSecret + NetworkPolicy
PaiAccessToken Scoped CLI access token — SHA-256 hashed, namespace-isolated, supports expiry and user env injection ServiceAccount + RBAC
Get Started

Deploy your first agent
in under 5 minutes

Install Pai, connect your LLM provider, and deploy an AI agent with full observability and zero-trust security.

Quickstart Guide Read the Docs
helm install pai pai/pai
Install via Helm
pai create -f agent.yaml
Deploy an agent