A coding agent authenticates with the developer’s identity through your IDP. Optional mTLS pins the agent to an enrolled client certificate.
Read calls (clone, search, fetch) pass policy silently and complete in milliseconds. Developers feel no friction on the safe path.
AWS calls are SigV4 signed inside the enclave. The signing key never transmits; only the computed signature leaves.
A write to a production repo or pipeline returns require approval. The call escrows, bound to its commitment hash.
The reviewer approves the exact parameters. A capability JWT is minted, scoped to that hash, valid for seconds.
The agent’s retry consumes the approval exactly once and the write executes. A modified payload produces a different hash and is rejected.
Claude Code, Cursor, and Copilot connect over MCP with the developer’s identity, never with shared service accounts.
TLS 1.3 required; client certificates pinned to enrolled agent identities for high assurance teams.
AWS request signing happens inside the attested enclave. The genuine zero knowledge case: the key never leaves.
Production writes wait on a human. Exactly once execution by atomic consume before execute stops double deploys.
ES256 tokens signed by KMS, verified offline across the fleet, bound to subject, tenant, and payload hash.
SigV4 signing is the genuine zero knowledge case: only the signature leaves the enclave, so even the downstream logs never see the key.
Approvals bind to the commitment hash of exact parameters. An agent cannot swap the target repo or branch after approval.
A memory dump of the agent yields short lived identity tokens, never long lived credentials or signing keys.
Exactly once execution stops a retry storm from double running a deploy or duplicating a release.
Walk through the trust model, policy design, and rollout with our security and solutions team.