The Corbits platform runs on an agent runtime that resolves every credential and authorization decision through a central control plane before an agent does any work. Nothing described here is opt-in hardening — it is how the platform launches agents.
Two primitives
Everything reduces to two things:Credentials
The secrets an agent uses to authenticate with an outside service — an API key, an OAuth token, a certificate. Owned and stored by your organization, never discovered by the agent.
Grants
The atomic unit of authorization. Every decision about what an agent may do is resolved by evaluating grants. A capability with no matching grant is denied.
Credentials
A credential is a runtime secret an agent uses to authenticate with a provider — GitHub, OpenAI, Slack, Google Drive, an internal deployment service, an SSH bastion. Every credential belongs to a provider; there are no provider-less credentials. The provider definition is what tells the platform how to handle the credential: its refresh behavior, its authentication method, its scope model. The credential’s type — API key, OAuth token, certificate — is a property of the credential, not something the agent chooses. From the agent’s side, it needs “access to service X,” and the platform figures out the authentication mechanism. Agents do not select or negotiate credential types.Resolved at launch, never at runtime
This is the principle that makes credentials auditable:Agents never discover or look up credentials at runtime. When an agent launches, the control plane resolves the credentials it needs and hands them to the agent’s harness as part of launch. The harness holds them in memory for the agent’s lifetime and mediates every use — proxying requests with authentication attached, or injecting the credential into the runtime.
Secrets in the credential store are held as plaintext today. Encryption at rest — envelope encryption or KMS integration — is a separate concern the platform does not yet address, so we do not claim it. The guarantee we do make is architectural: credentials are resolved and scoped at launch, and agents never look them up themselves.
Two independent axes
Credentials vary along two axes that are easy to conflate. Keep them separate.Ownership — organizational vs. personal
Ownership — organizational vs. personal
A credential can optionally be owned by a specific principal in the tenant.
- Organizational — no principal owner. Shared across the tenant and managed by administrators. This is the company’s OpenAI key, its deploy token.
- Personal — owned by a specific user or agent, typically created through an OAuth flow where that user authorized the platform to act on their behalf with a third-party service.
Source — where a requirement pulls its credential from
Source — where a requirement pulls its credential from
An agent definition declares which credential a requirement should resolve to by source:
tenant— the tenant’s organizational credential.creator— the agent author’s personal credential.invoker— the user launching the agent supplies their own.
tenant-sourced credential is shared; an invoker-sourced one is not. Do not read “shared” as “invoker.”Grants
Grants are the atomic unit of authorization. Every authorization decision is resolved by evaluating grants. A grant carries three fields:| Field | What it is | Examples |
|---|---|---|
resource | A glob pattern for what is being authorized | tool:bash, credential:crd_gdrive, tool:*, * |
action | The operation verb | invoke, read, use, * |
effect | The decision | allow, deny, ask |
How a decision is made
For any principal attempting any operation, the engine:Collect
Gather every grant that applies — direct grants on the principal plus grants from all of its roles.
Order by specificity
More specific patterns beat less specific ones — a grant on
credential:crd_gdrive outranks one on *.Most specific grant decides — ties break toward denial
The most specific matching grant sets the effect. When two matching grants are equally specific, the most restrictive effect wins: deny beats ask beats allow, so ambiguity always resolves toward less access.
ask effect blocks execution and surfaces an approval prompt to the appropriate human, who can allow it once, allow it always (creating a persistent grant), or reject it. Conditions on a grant — time windows, approval thresholds, rate limits — are evaluated at the same time; a grant whose conditions are unmet is skipped.
Fail-closed is the property compliance cares about most. There is no implicit allow, no ambient authority, no capability that works “because nobody blocked it.” Silence is denial.
Where authority comes from: the three-source model
An agent definition does not ship live grants. It ships requirements — a manifest of the capabilities it needs. At launch, the control plane resolves each requirement against real authority and materializes grants on the agent’s own principal. Each requirement declares a source:tenant
Your organization’s policies must allow it. Resolved from system and role grants, walking up the tenant hierarchy. This is the org setting the boundary.
creator
The definition author delegates authority they themselves currently hold. This is the setuid model: the author’s authority travels with the definition. A creator cannot delegate what they do not have — the control plane checks at every launch.
invoker
The person launching the agent must supply it. Materialized as a short, session-scoped grant that expires when the agent stops.
The thesis: inert without both
A tool is a capability that does nothing on its own.- A tool is inert without a grant.
tool:bashneeds one thing to run: a grant that allowsinvokeontool:bash. No credential is involved. - A tool that reaches an external provider is additionally inert without a resolved, grant-authorized credential. The credential must resolve at launch, and a grant on
credential:...with actionusemust authorize this principal to use it.
Tenant hierarchy and inheritance
Authority is organized by tenant.- A principal is an identity within a tenant — the join between an entity (a user or an agent) and that tenant. A principal by itself grants nothing; it only establishes that the entity exists in the tenant.
- A tenant is the isolation boundary. It has a nullable
parent_id, so tenants form a hierarchy of parents and sub-tenants (child tenants).
- Credentials inherit (walk-up)
- Grants narrow going down
When the platform looks for a credential, it checks the current tenant, then walks up the parent chain until it finds a match or reaches the root. Store an organizational credential at the parent tenant and every child tenant can resolve it automatically — define your integrations once for the whole org.A child tenant can shadow a parent’s credential by creating one with the same name; the child’s takes precedence within its scope. Names are unique within a tenant, which is what makes name-based shadowing work.
A worked example
An organization stores one Google Drive credential scoped to its financial records at the org (parent) tenant — call its resourcecredential:crd_gdrive_financials. Because credentials walk up the hierarchy, every department inherits it: marketing, engineering, accounting all resolve the same credential.
But only principals in the accounting department hold the grant that authorizes using it:
The credential is reachable
Walk-up resolution can find
crd_gdrive_financials at the parent tenant — every department inherits it, so it is available for the marketing agent to resolve.A grant is required to use it
Using that credential requires a grant:
credential:crd_gdrive_financials with action use. The engine looks for one on the marketing principal and finds none — that grant lives only on accounting principals.How this shows up
Platform overview
Where credentials and grants sit in the control plane, harness, and agent lifecycle.
Intercode
The guardrails discipline in a real coding agent — tiered permissions and hard-deny secret guards.
Workbench
A go-to-market workspace running on platform-governed credentials and grants.