Mandate

Osage Tech is the engineering practice of the Group. We ship systems that the ecosystem owns, operates, and cannot be evicted from. We do not chase frameworks or fashion. We pick a small number of canonical paths and we maintain them for a decade.

Stack

• Compute & orchestration. Kubernetes on DOKS and GKE; Hanzo PaaS for app deployments.
• Identity. Hanzo IAM, surfaced as Osage ID across every ecosystem property.
• Secrets. Hanzo KMS only. Plaintext credentials do not exist in our repos, our shells, or our laptops.
• Settlement. Osage Network — the ecosystem’s sovereign L1/L2 chain, luxfi-aligned.
• Web stack. Vite 8, React 19, Tailwind 4, SSG-only for marketing surfaces; per-site repos with vendored shared components.
• Ingress & edge. hanzoai/ingress with the static plugin and gateway. White-labeled by hostname.
• Containers. GHCR namespaces by org (osagebrothers, osagedao). No cross-org image pulls.
• Builds. Native amd64 and arm64 in parallel on owned runners. No QEMU emulation.
• Observability. Prometheus + Grafana, alert to Slack/PagerDuty. One board per stack.

What we do not build

• Anything that requires us to run nginx or Caddy.
• Anything that puts plaintext secrets anywhere.
• Backwards-compatibility shims for deprecated tokens or paths. Forwards only.
• Vendor-locked managed services for things we can reasonably operate ourselves.
• Anything our compliance committee or general counsel will not put a name to.

Operating principles

• One way to do everything. Composable, orthogonal, complete separation of concerns. A footer is a footer; a hero is a hero. Variants exist where they carry meaning, and nowhere else.
• Forwards only. No backwards-compatibility shims, no deprecated-but-tolerated tokens, no half-finished work.
• White-label by hostname. Shared infrastructure carries the brand of the hostname under which the request arrived. No brand bleed between ecosystems.
• Owner-operator grade. The systems are owned by the people who run them. The same engineer who shipped a change is the engineer paged when it breaks.

Security posture

• Two-factor on every account; hardware keys preferred.
• Quarterly rotation of long-lived credentials; OIDC-exchange for ephemeral CI tokens where supported.
• Per-org container registries; no cross-org pulls.
• Audit trail for every production change; no “just this once” deploys from a developer laptop.

Open source

Osage Tech consumes the upstream luxfi, hanzoai, and zooai codebases. We contribute back what is genuinely reusable; we do not fork to fork. Where we hold a clear case for a new primitive, we land it in the appropriate upstream rather than ship it as a local divergence.

Sister properties

• osage.cloud — the sovereign cloud.
• osage.network — the settlement layer.
• osage.id — the identity surface.

Engagement

Hiring and engineering inquiries: engineering@osage.tech. Security disclosures: security@osage.tech. Vulnerability reports answered within 48 hours.