History

Politico Pumps Nazi Führerprinzip as Hungary Personality Cult

Leave a comment

Alexander Burns wrote a fascist op-ed in Politico today and framed it as electoral advice for Democrats.

His argument is so weak it’s hard to understand how it made it out. He says Viktor Orbán’s defeat in Hungary proves that “disruptive” leaders who commandeer institutions and remake them through force of personality represent the winning “path to power.”

Marvel comics make some want to believe in a supermensch, yet really the stories should do the exact opposite.

His examples include Trump, Macron, Milei, Meloni, Carney, and now Peter Magyar. Burns treats this list as evidence of characters with ideological range. Never mind how the power hungry flip to whatever party cedes them control, it is evidence of something else entirely.

Every figure in Burns’s “eclectic club” shares exactly one trait. They personalized institutional power. They treated party structures as vehicles to be seized, deliberative processes as obstacles, and democratic legitimacy as something conferred by the act of disruption itself. Burns calls this a “path to power” as though the mechanism were ideologically neutral.

The mechanism is the ideology. It has an actual name in history. The Führerprinzip: the leader embodies the movement, the institution exists to serve the leader, the program is the leader’s will. Trump incidentally tried to promote himself as Jesus Christ today. while insulting the Pope.

Burns describes such personality-driven concentration of power with sheer admiration, cataloging each successful seizure as though collecting trading cards. Magyar is “stubborn, imperious and self-absorbed.” Carney defied predictions. Trump devoured a party from inside. Burns presents all of this as a winning formula rather than a recognizable pattern of democratic erosion.

Sewer Socialists Knew What’s Wrong

There is a strong American counter-tradition Burns should have consulted. Milwaukee’s sewer socialists governed America’s largest Socialist-led city for most of the first half of the twentieth century. Victor Berger, Daniel Hoan, and Frank Zeidler won elections repeatedly. They held power for decades.

They did it by building sewers. Their personalities aren’t the point.

Click to enlarge. Source: In These Times

The sewer socialists defeated the patronage machines of both major parties through visible, material competence. Clean water. Honest books. Public health infrastructure. The leader was interchangeable because the platform was the point. Milwaukee kept electing socialists because the city worked. Voters responded to demonstrated governance against a backdrop of corruption.

Burns’s frame makes this tradition invisible. Once you define successful politics as personality-driven disruption, governance competence becomes irrelevant. The program disappears. The leader becomes the program.

Two Mamdanis

Mahmood Mamdani’s Citizen and Subject offers the structural critique Burns needed and ignored. Mamdani argued that colonial and postcolonial institutional structures create the categories of political possibility. The bifurcated state does not get fixed by swapping personnel at the top. The question is what the institutions connect to, who they serve, and what they reproduce.

Burns treats institutions as empty vehicles waiting for the right driver. Mamdani would say the vehicle determines the destination. When you celebrate the seizure of institutional power as the defining act of politics, you foreclose the question of what institutions should actually do. You make governance reform structurally unthinkable. All that remains is the next seizure.

And then there is Mahmood Mamdani’s son.

Zohran Mamdani is the 112th mayor of New York City. A democratic socialist state assemblyman from Queens who beat Andrew Cuomo in the primary. He took office on January 1, 2026. On the same day Burns published his column about how Democrats need a charismatic disruptor, Mayor Mamdani marked his 100th day in office by filling potholes in the Bronx.

He called it “pothole politics,” and he used the exact phrase: “our 2026 answer to sewer socialism.”

Mamdani has spent his first hundred days riding the subway, fielding 311 calls, cleaning up illegal dumping sites, and securing $1.2 billion for universal childcare with Governor Hochul. His argument is the sewer socialist argument: basic services rebuild trust in government. Competence is the platform. The program is the point.

Burns could have looked across the East River. The largest city in America is being governed right now by a democratic socialist who explicitly rejects the model Burns is selling. A mayor whose father wrote the definitive structural critique of the personality-driven politics Burns celebrates. A mayor who won a massive upset against the ultimate insider candidate and then governed through potholes and childcare instead of spectacle.

Burns did not mention him! The guy who claims to admire personality, omitted one of the strongest personality victories in American history.

That omission tells you everything about what the Politico column was actually supposed to pump.

Fascist Complicity

Burns covered Trump’s takeover of the Republican Party. He wrote a book about it. He watched Meloni’s rise in real time. He knows what he is describing.

He describes it anyway. He puts Trump and Macron in the same analytical bucket and claims that as an insight. He lists Meloni alongside Carney and treats the juxtaposition as evidence of range rather than a warning. He advises Democrats to find their own version of a Mussolini-strongman pattern while the living counter-example fills potholes ten blocks from the Politico newsroom.

This is his complicity. Burns understands he is celebrating a cult of personality. He has the historical knowledge to see what it produces. He packages it as horse-race analysis because that is what he probably expects to deliver him rewards.

The Receipts

The Führerprinzip was not a metaphor. It was Article 1 of the NSDAP’s organizational principles: the leader’s authority flows downward, accountability flows upward, the party exists as an instrument of the leader’s will. Every “disruptive insurgent” Burns admires followed this operational template. Some produced better outcomes than others. The template meanwhile remained the same.

The sewer socialists produced fifty years of effective municipal governance, exposed machine corruption through performance rather than spectacle, and built lasting institutional capacity. Milwaukee’s socialist administrations are studied in public administration programs to this day. They are the bedrock of American infrastructure.

Mahmood Mamdani’s work has shaped a generation of scholarship on how institutional design reproduces or disrupts power relations. His argument is precisely that the personality of the leader is the least important variable. Structure reproduces itself, while dictators have yet to clone themselves.

His son is proving it in real time, in America’s largest city, on the same day that Burns filed a fascist column.

Burns had all of this available to him. He chose the wrong frame. He chose it because it makes the column he is primed to adore. His poor choice is his column’s actual subject.

Security

Palantir AI Closed Down the Straight and Now Trump Can’t Get it Up

Leave a comment

The Strait of Hormuz was open on February 27, 2026. Twenty percent of the world’s oil flowed through it. No tolls. No blockade. No crisis. Then Trump slammed his little fist on the bright red Palantir “easy” button on his big desk.

On February 28, the United States and Israel launched strikes on Iran, killing its supreme leader and seriously depleting American preparedness for actual war. Iran closed the strait and waited.

The math is stupid, it’s so simple.

The Pentagon told Congress the first six days cost $11.3 billion. Harvard’s Kennedy School estimates $2 billion a day in short-term costs. The AEI puts the five-week total between $22.3 billion and $31 billion. The Pentagon has requested an additional $200 billion from Congress.

Get it?

Spend $30 billion to close a strait that was open.

Then ask for $200 billion to reopen it.

While you also say you will close it, because… when talks fail, blockade the strait and float the idea of the United States charging tolls on the strait you blockaded because the enemy closed it because you bombed them.

Every phase of this stupidity costs more than the last.

Every phase intentionally escalates to generate new contracts, new munitions orders, new revenue for the targeting platforms that identify the next set of things to destroy. It’s like lighting taxpayer money on fire.

Which brings us to news about Friday’s “Truth Social” post.

“Palantir Technologies (PLTR) has proven to have great war fighting capabilities and equipment. Just ask our enemies!!!”

Trump included the stock ticker. PLTR was down 14% for the week. CREW flagged the post as a potential attempt to pump the stock of a major backer that had sponsored multiple administration events and donated to the White House ballroom project.

Note the roles converging in one person.

Trump is the commander-in-chief who authorized the strikes. He is the head of the government that provides more than half of Palantir’s U.S. revenue. He is the promoter of the stock on social media.

Customer, warmaker, and pitchman.

When Trump pumped Tesla, the conflict was financial.

Source: White House Press Secretary

The Tesla pump killed hundreds. Here the conflict is financial and operational, killing thousands. Palantir’s “Maven Smart System” identifies targets for the strikes. School girls? Triple tap? The war crime strikes sustain the MAGA rage. The rage sustains the contracts. The contracts sustain the stock price. The president sustains all of it and then posts the ticker symbol when the price dips.

Germans know what’s going on. They remember history. Suhrkamp offers a taxonomy of the American techno-sovereign crisis, with Cum-Ex prosecutor Anne Brorhilker holding up the shelf.

Palantir’s own communications chief called the company’s political shift toward the Trump administration “concerning.” The video of her saying it was scrubbed from the internet because Palantir has a social truth problem.

Michael Burry is holding puts. He believes the fundamental value is well under $50 a share. Why not $5? The stock trades at $126. The gap between actual and speculation value is sheer corruption, held open by cooked government contracts tied to a war that has cost at least $30 billion to bomb school children and produced a global energy crisis that did not exist seven weeks ago.

The strait was open. Trump spent tens of billions to close it. Now Trump is trying to spend hundreds of billions to… repeatedly claim he can open and close it while he tries to juice his stocks for whatever happens next.

That is the dumb, corrupt math of Palantir.

History, Poetry, Security

America Prepares as Anthropic Mythos is 100X More Deadly Than Martian Death Ray

Leave a comment

NBC News just ran a story called The Vulnpocalypse about Anthropic’s decision to withhold its Mythos model from the public. The tone is, well, you know.

The author, Kevin Collier, lined up well-known cybersecurity vendors to stoke fear that AI-powered hackers will crash financial systems, lock up hospitals, and shut down water treatment plants.

Sigh.

Anyone who has worked in security long enough will recognize this FUD genre immediately. Replace “AI” with “war dialer” and this is the exact same article WarGames generated in 1983. At least back then we said the word war out loud instead of just implying it.

Captain Crunch Whistles for Everyone!

Back in 1983 some Milwaukee teenagers called the 414s (Milwaukee area code, yeah) waltzed into the unprotected computers at Los Alamos National Laboratory and Memorial Sloan-Kettering Cancer Center using nothing more exotic than a modem and a telephone line. The Newsweek cover on September 5, 1983 featured the word “hacker” for the first time on a major magazine cover.

The youngest of the 414s, therefore able to pose on the cover of Newsweek, September 5, 1983

Congress held hearings. Ronald Reagan was shown WarGames and asked the Joint Chiefs if the premise was real. Within a week the answer was: “Yes, the premise was technically possible.” Eighteen months later he pushed a signature onto NSDD-145, the first Presidential directive on computer security.

The actual legal consequences for the 414s were two years’ probation and a $500 fine for phone harassment. And even that seemed a bit much.

Time Magazine in 1983 with stern warning that network attacks on computers will kill someone.

Neal Patrick became a media star. John Draper, Captain Crunch himself, had been phreaking the phone system with a cereal box whistle and people talked about it as though he were going to bring down AT&T. The whistle found in kids’ cereal boxes exploited in-band signaling on the analog phone network (2600 Hz tone on the same channel as voice). The fix was to push for the long-overdue move to out-of-band signaling (SS7). It stands as proof of the harm from natural monopolies refusing to invest in baseline safety. Dare I say history tends to rhyme even when it doesn’t repeat?

The vulnerability landscape was real, the exploitation was incremental, and the apocalyptic framing served the companies selling defenses. McAfee built an entire empire on this dynamic, most memorably during the 1992 Michelangelo virus panic, when John McAfee personally stoked fear that millions of computers would be destroyed on March 6th. The press amplified, the public panicked, almost nothing happened, and McAfee’s sales went through the roof. Perhaps most bizarre was how he became a security industry celebrity for undermining trust in the security industry. The vendors and conference attendees at events like BlackHat or Defcon acted as if Enron’s CEO should have been the toast of Wall Street.

The Same Article, Forty-Three Years Later

Collier’s piece follows the 1983 script with remarkable fidelity. The threat model is identical: hypothetical unsophisticated attackers gain access to powerful tools, critical infrastructure is vulnerable, and the proposed solution is withholding the tool from the public while sharing it with “partners.” By this logic we should be terrified of kids getting a hold of sophisticated string and precision percussion instruments. Jazz? Rock and Roll? Catastrophe.

The Soviet state both said “today he plays jazz, tomorrow he betrays his country” and also printed cheerful matchbox art of ФЕСТИВАЛЬ (Festival) when the political winds shifted. The threat level of the instrument depended entirely on who was in charge that year.

His expert sourcing follows a similar pattern. Quote a government official convening emergency meetings (Treasury Secretary Bessent gathering the banks). Quote a vendor whose business model depends on threats expanding (Casey Ellis, founder of Bugcrowd). Quote a former FBI official warning about “wannabes” (Cynthia Kaiser, now a senior vice president at Halcyon). Close with water treatment plants. Everyone drinks water, it’s life. That’s a strong FUD move. Every quoted source in this piece stands to gain from security industry services related to the scariest story possible. Bugcrowd, Halcyon, Luta Security, Scythe. Who needs advertising when the article is the ad?

The Atlantic’s Priority

The Atlantic’s Matteo Wong went even further than Collier. His lede described Mythos as “a tool potentially capable of commandeering most computer servers in the world” that could “hack into banks, exfiltrate state secrets, and fry crucial infrastructure.”

It’s the opposite of reporting. It is the language of a film trailer. Anyone deep inside AI at the operations level knows how fundamentally flawed it remains versus humans.

Wong’s most consequential move was positioning Anthropic as a peer to nation-state intelligence services: “This level of cyberattack is typically available only to elite, state-sponsored hacking cells.” This framing matters because once the press treats a private company as operating at nation-state capability, the company inherits the presumption of nation-state authority over disclosure, access, and classification. Which is precisely what Project Glasswing establishes.

The Atlantic in 2023 published my co-authored article on real, documented AI harm. Tesla’s vehicles have been crashing into trees, killing motorcyclists, and veering off roads for years. The body count is in the hundreds now and the design flaws are landing in court cases. No Treasury Secretary convenes an emergency meeting over it. No consortium of tech giants receives $100 million to address it.

Tesla AI notoriously “veers” uncontrollably and fatally crashes. Design defects (e.g. Pinto doors) trap occupants and burn them to death as horrified witnesses and emergency responders watch helplessly. Source: VoCoFM, Korea, 2024

But a company announces that its AI could hypothetically find software vulnerabilities faster than defenders could close them, and the entire press corps treats it like the fall of civilization.

Water Tanks

In 1915, a battle-hardened and war-weary Winston Churchill funded development of armored tractors meant to break through trenches, barbed wire, and machine gun nests. The British War Office ordered hundreds built under strict secrecy. The project was initially disguised as “water tanks”, which denied German intelligence any insight into what was actually being manufactured. The codename stuck, which is why ironically we still say tanks to speak of things that are not tanks.

The tank changed battlefield tactics, but it most certainly did not end battlefields. The immediate response was to dig better trenches and adapt doctrine. And, as always, a side that understood a new weapon’s limitations and integrated it into combined-arms operations won. A side that waxed about mythical wonder weapons, lost.

The history of the rifle tells the same story even more precisely. The bolt-action rifle gave way to the repeating rifle, which gave way to automatic fire. Each transition made a previous method more specialized. Each technology innovation demanded doctrinal adaptation. None of the innovations ended war. A rifle is not only still a rifle, the NRA whines constantly that you shouldn’t regulate an automatic rifle differently from a powder musket.

Vulnerability discovery has a similar question of progression. Manual research was bolt-action. Automated scanners were repeating. AI-assisted discovery is automatic. What Anthropic built with Mythos is a much faster fuzzer. And since they aren’t a security company at all, they probably are running around the office as if their hair is on fire yelling “what do we do, what do we do” instead of seeing it the way Churchill looked at a tank.

I say this from battle experience. When cloud computing arguably was first launched (e.g. Loudcloud, by Andreessen et al) I punched a massive hole right through claims about customer isolation. It was a normal finding, in my estimation. A service provider says customers are isolated, and my tool says nope. I handed the finding to the man sitting next to me and he literally jumped out of his chair, waved his hands in the air, ran out of the room and around the office yelling “OMG we’re in! We’re in!” He was, shall we say, less experienced.

Zero-day vulnerabilities have been found and disclosed continuously since the term was coined. Google’s Project Zero has been publishing them for a decade. The entire bug bounty industry exists because this is ordinary work. Finding two hundred exploits faster than the previous tool found 2 is an efficiency gain in the rate of fire. It is not a civilizational rupture. And here is what the coverage systematically omits: faster discovery means faster patching. A tool that finds vulnerabilities at scale is, by definition, a tool that enables remediation at scale. That makes it a patch accelerator. The question is who controls the framing.

I have spent over a decade working with AI and showing companies both how to break and how to secure it. What I can report from being deep in the field for so long is that the fundamentals have not changed. You still need someone who knows where to point the weapon, and you still need a trench to fight from. The obfuscation is in calling the automatic rifle a magic alien death ray.

Withholding as the Product

“Our model is so dangerous we can’t release it” is, of course, the same sentence as “our model is so valuable you need us.” Such product mystique reads to me more like another geturked presentation to those in power than a proper public threat modeling disclosure.

Kupferstich eines “Schachtürken”

Rename “we built a better fuzzer” to “we possess a weapon too dangerous for the public” and you have a centuries-old trick in the defense contractor playbook.

Anthropic announced that Mythos produced 181 working exploits from a vulnerability set where the previous flagship model succeeded only twice. That is a real capability jump and should be taken seriously.

What should also be taken seriously is what happened next: Anthropic shared the model exclusively with twelve tech giants under Project Glasswing, backed by $100 million in usage credits. The withholding became the product launch. “Too dangerous to release” turned out to be the most effective marketing copy the industry has ever produced, and both Collier and Wong ran it as news.

The Treasury meeting completes a very shady picture. Bessent convenes the banks, Anthropic briefs the banks, and suddenly every major financial institution has a rather convenient public-private attachment to Anthropic’s vulnerability discovery capability. That is an undemocratic merger wrapped in false national security fearmongering.

Back Door

The timeline gives it away. On February 27, 2026, Defense Secretary Hegseth raged about making Anthropic a supply chain risk after the company refused his demands to strip safeguards against mass surveillance and autonomous weapons from Claude. Hegseth bloviated so hard, he made Anthropic the first American company ever given a designation normally reserved for foreign adversaries. Anthropic naturally sued, because common sense has to go to court. A judge blocked the designation.

Five weeks later, Anthropic announced Mythos and handed it directly to Microsoft, Google, Apple, Amazon, and the rest of the companies the Pentagon depends on for its entire technology stack. The front door closed and the back door opened wider. When the Secretary of Defense designates you a foreign adversary over a contract dispute, the direct route to military integration is blocked. But you can achieve the same position by making yourself the security backbone of every company the military depends on. No contract. No congressional testimony. No use restrictions. The money flows through the same channels. The brand stays “clean” of Hegseth.

The Doctrine, Not the Weapon

Grant and Sherman won the Civil War by combining coordinated force with the systematic destruction of the enemy’s capacity to produce war. The engagement mattered less than the doctrine. AI vulnerability discovery tools follow the same logic: they are force multipliers for whatever doctrine you already have. If your doctrine is “sell fear,” they push a LOT of fear. If your doctrine is “map the attack surface and hold the line,” they multiply that.

The question nobody in the Vulnpocalypse coverage has asked is whether zero-day resolution is now accelerating faster than zero-day discovery. If it is, then Mythos is a net defensive tool and the entire panic narrative collapses. Anthropic has the data to answer this. They have not published it, to my knowledge. My guess is they lack the security experience to frame it that way.

The 1983 version of this panic produced NSDD-145 and eventually the Computer Fraud and Abuse Act, real legislation born from manufactured urgency. The 2026 version is producing something structurally different: a private company functioning as a classification authority that decides who gets access to vulnerability discovery capabilities and on what terms. That is a larger institutional shift than the old Presidential directive, and it is happening while the press runs “Vulnpocalypse” headlines and quotes panic pill vendors.

The exhausted CISOs and security teams I talk to many times every day already know the AI tools are real and they know the rate of fire has changed. What they need is a defensible position against the flood of AI vendors who confuse a product launch with the end of the world.

Anthropic calls its patch accelerator Mythos for the same reason Churchill called his tractors tanks. The name disguises the use, preventing doctrinal analysis.

Churchill hid the function so the enemy couldn’t develop counterdoctrine. Anthropic hides the function so the market can’t judge how a defensive tool is being pitched as an offensive threat.

Security

Cloudflare Agents Week: Want Safety? Get Wirken

Leave a comment

Cloudflare kicked off Agents Week with a blog post asking important questions about AI infrastructure: “which agent are you, who authorized you, and what are you allowed to do?”

Then they moved on to talk about isolates.

The Right Stuff

The Cloudflare post’s core argument is that containers were built for one application to serve many users.

Of course they were. The efficiency of a “service” being multi-user is as old as humanity itself. We don’t ride the shared infrastructure of the Internet, enjoying the massive speed and efficiency gains, wishing we had laid our own dedicated fiber from every person we want to communicate with securely. History shows why.

“Sewer socialism” was a period that solved this mess, by developing literal shared sewer systems, fire departments, police stations, and telecommunications, saving America the embarrassment of “radical individualist” infrastructure disasters
Click to enlarge. Source: In These Times

The dozens of CISOs I met with last week were asking me how do we run more agents? And I certainly was not telling them to light up one user, one agent, one task. To put it another way, if a CISO asks me about how to scale hardware, I might say let’s talk about a hypervisor to run software-based virtual machines. If a CISO asked me how to scale software-based machines, I might say let’s talk about containers… and so the logic of “sewer socialism” in shared infrastructure lives on.

Cloudflare enters this context saying containers now are too heavy for agents. V8 isolates start in milliseconds, use megabytes instead of gigabytes, and cost orders of magnitude less per session. At the scale agents require, isolates win.

This is correct. Cloudflare is stating the obvious. They have the network. They have the edge. They are like the contractors who provide the cafeteria for your office. But a cafeteria is not a chef. And a chef operating in your building, reading all your email, accessing all your financial accounts, and talking to your coworkers, in fact needs more than a fast startup time to serve hot meals on time.

The Wrong Stuff

Cloudflare’s post reveals a gap, yet they aren’t talking about it directly. Today’s agent deployments are “fraught with risk: prompt injection, data exfiltration, unauthorized API access, opaque tool usage.”

CISOs feel huge pressure to open up “productivity” gains yet can’t sign off because a security model doesn’t exist yet. OpenClaw is one of the biggest design disasters in software history: a single golden key that doesn’t rotate and can be stolen without detection.

Cloudflare’s answer is to merge their developer platform with their zero trust platform. Two products, built for different audiences, being stitched together like a Frankenstein. That takes time. And, for those who forget the science-fiction warning, stitching is not the same as weaving.

The artificially over-hyped open-source agent platform, one that suddenly showed up with 341,000 GitHub stars and little evidence for why, consolidates access to every messaging channel behind a single static token in a single process. No channel isolation. No credential rotation. No audit trail. It’s an embarrassment to the word engineering, a complete absence of design and no sense of accountability.

Cloudflare is stepping in where they operate, at the infrastructure layer. The compute, the network, the edge. And then what sits between that infrastructure and the user’s actual data remains an open question.

That question has an easy answer.

Are Your Agents Wirken Yet?

Wirken is a secure, model-agnostic AI agent orchestration platform. It exists because the tools that run agents against your messaging channels and business data should be built to deserve that access.

The security is not slopped in or bolted on. It is designed with baselines in mind and enforced at compile time.

Every channel adapter runs in its own OS process. A Slack credential cannot touch a Telegram session. This is not a runtime permission check that can be bypassed. It is a Rust phantom type constraint. Cross-channel access is a compiler error. It does not run. It does not build.

Credentials live in an encrypted vault using XChaCha20-Poly1305 with OS keychain integration. They are scoped per channel and rotate. The secret type has no Display, no Debug, no Serialize, no Clone. It zeroes on drop. A credential cannot leak through logging, serialization, or accidental copy because the type system will not allow it.

Every agent action is recorded in an append-only, SHA-256 hash-chained audit log before execution. Tamper with any entry and the chain breaks. Forward it to your SIEM. Hand it to your auditor. It is a complete, verifiable record of what every agent did, when, and with whose authorization.

Skills are signed with Ed25519. Unsigned code does not run. The skill registry is not a marketplace where 20% of entries are malicious. It is a supply chain with cryptographic verification.

The Cafeteria and the Chef

Cloudflare used a good analogy. A traditional application is like an industrial form of restaurant: fixed menu, optimized kitchen, high volume. An agent is a chef who asks what you want (chicken or shrimp), then improvises with whatever tools and ingredients the task requires.

Extend the analogy. The chef is in your office. You hand the chef keys to the entire building. The chef can open all your files, read all your communications, and assume your identity to send messages as you.

You want that chef to be fast with the meal. You also want to know which chef is in your building, who sent them, what they are allowed to touch, and a tamper-proof record of everything they did while they were there.

Cloudflare is building the high-speed kitchen. Fast counters, efficient burners, millisecond cleanup. Wirken is the system that makes sure that any chef you interact with is doing what that chef was authenticated and authorized to do. Different layers. Complementary.

What This Looks Like in Practice

Wirken ships as a single static Rust binary. No runtime dependencies. No Node.js. No container orchestrator. Install it, configure your channels and your model, and run it.

It is model-agnostic. Point it at Anthropic, Gemini, OpenAI, Ollama for local inference, or even Privatemode for confidential inference inside hardware enclaves. The orchestration layer does not care which model you use. The security guarantees are the same regardless.

It runs behind Cloudflare Tunnel today. Any self-hosted Wirken instance gets a public endpoint for webhook-based channel adapters without exposing ports. Cloudflare handles the network. Wirken handles the trust boundary.

It has nine channel adapters for a reference architecture: Telegram, Discord, Slack, Teams, Matrix, WhatsApp, Signal, Google Chat, iMessage. It comes with fifteen bundled skills (natively compatible with OpenClaw) and MCP server support.

Two Layers, One Stack

The shift to agents needs defense-in-depth. The compute layer that makes agents affordable at scale is coming faster than ever. Now an orchestration layer that makes agents safe to deploy is on the table.

Cloudflare asked great questions. Which agent are you, who authorized you, and what are you allowed to do?

The answer is here: github.com/gebruder/wirken