SDK Parity
Sign inOpen app
Security

Controls

Guardrails for SDK and agent workflows.

Generated code, agent actions, and release decisions all cross validation, redaction, and review boundaries before they become trusted output.

Control surface
Security controls stay visible inside the release review loop.
Redacted events

Secrets and credentials are removed before observability events leave the runtime.

Scoped actions

Agent workflows start as dry-runs and declare every planned write before execution.

Typed boundaries

External inputs are validated and converted into explicit artifact contracts.

Release evidence

Every compatibility decision is backed by a report that reviewers can inspect.

Entitlement checks

Expensive actions pass through usage and feature gates before work is dispatched.

Reviewable output

Reports, manifests, and tool results are stable JSON artifacts, not one-off logs.

Readiness checklist
Controls expected before hosted execution.
  • No raw secrets in reports
  • Dry-run first agent execution
  • Typed env validation
  • Auditable run state
  • Least-data observability
  • Organization-ready access model
Evidence packet
Structured output for humans, CI, and agents.
Spec3 operations normalized
Manifest12 public symbols
Compatibilityminor recommendation
Agentdry-run only
Review before write

Agent workflows should produce evidence before they mutate anything.

SDK Parity models agent execution as staged, typed, and inspectable work. Dry-runs, redaction, and audit events are first-class product surfaces.

Data and tenancy
How customer data flows through audits, reports, and dashboards.
Tenant isolation

Hosted runs live in dedicated tenant storage. Reports never cross workspace boundaries.

Redacted observability

Secrets and tokens are stripped before observability events leave the runtime.

Exportable artifacts

Manifests, diffs, and packets export as stable JSON for your own retention.

Security

What reviewers ask first.

Where does data live?
Hosted runs live in dedicated tenant storage. Audit packets and manifests are exportable as stable JSON for your own retention.
How are agents scoped?
Every agent tool ships with a declared scope and a typed contract. Writes require explicit approval after a dry-run packet is produced.
What ships to logs?
Observability events are redacted before they leave the runtime. Raw secrets, tokens, and credentials never reach reports or dashboards.