INFRAVEILLive demo →
● Reference architecture

Let an AI agent deploy to production — without giving it the keys

Agentic tools like Claude Code and Cursor can now ship backend changes on their own. The question isn't whether to let them — it's how to let them act without a single bad command or hallucinated step taking you down. This is a working, inspectable reference architecture for exactly that.

On this page
The three layers · The trust model · Build it · Verify everything yourself

The three layers

You wrap three open, inspectable layers around your deployment. Each is useful on its own; together they let an agent operate a backend under governance.

Layer 1 — on your server

A signed, supervised agent

Installed on infrastructure you already own. Before it runs anything, it verifies its own code — AES-GCM decrypt, then Ed25519 + HMAC signature, then hash reconciliation. It proxies and defends traffic and keeps a tamper-evident local audit ledger. The source is public and diff-able.

Layer 2 — in your repo + CI

A governance policy you enforce as code

A plain-text policy that says what may change production, which agent may do what, and what always needs a human. You lint and enforce it free in CI; the control plane enforces the same policy centrally, so local and prod can't drift.

Layer 3 — between agent and backend

A governed MCP server

Your AI agent queries fleet status, security findings, and request traces, and can request deploys and remediations — each of which enters a human-approval queue. Every message is signed both ways. The server cannot apply a change on its own.

The trust model

You should never trust a control plane you can't inspect. So the code with authority over your runtime is open, your agent verifies our signatures before running our code, and you can verify your own audit ledger offline. Trust by inspection, not assertion.

Build it

1. A governance policy

Keep this in your repo. It's the contract for what can change production:

policy "production" { version 1 deploy { require_approval true block_paths ".env", "secrets/**", "**/id_rsa" max_files 50 } agent "deployer" { allow restart, deploy, rollback deny delete, db_migrate, drop_table blast_radius single_host } remediation { block_categories auth, crypto, billing require_approval true } }

2. Enforce it in CI

Gate every change. Denied changes fail the build:

pip install infraveil infraveil policy lint policy/production.infraveil infraveil policy check action.json --policy policy/production.infraveil

Exit code 0 means allowed (or gated on human approval); 1 means denied. Drop it straight into a GitHub Actions step on every pull request.

3. Wire the governed MCP server into your agent

pip install infraveil-mcp # claude_desktop_config.json { "mcpServers": { "infraveil": { "command": "infraveil-mcp", "env": { "INFRAVEIL_BASE_URL": "https://api.infraveil.com", "INFRAVEIL_AGENT_FILE": "/opt/infraveil/agent.py" } } } }

Now the agent can see your runtime and request changes — under the same policy, with humans in the loop.

Verify everything yourself

Trust nothing. Re-hash your audit ledger to confirm it hasn't been edited, deleted, reordered, or gapped — and verify our release signatures against the published key:

infraveil verify ledger /opt/infraveil/agent_audit_<id>.jsonl --head <anchor from dashboard> infraveil verify signature --file release.bin --attestation attestation.json --pubkey <published key>
The boilerplate is free; the control plane is the product. The agent, the CLI, and the policy DSL are open source. What you pay for is the part an AI can't regenerate: the central authority graph, multi-tenant policy, the tamper-evident evidence store, fleet operations, and break-glass.
See the control plane → Free tools
Govern your AI agents in production
Backend & AI-agent security tips + product updates. No spam, unsubscribe anytime.