Skip to main content

How it works

From intent to verified receipt.

An agent never gets a shell. It asks for one declared action, and that request passes five gates before anything happens on your host — and lands in an audit you can verify after.

The shape: nothing listens on your hosts.

The runner dials out to the control plane over an outbound connection. The cloud is the control plane and the durable system of record; your hosts open no inbound port.

Your AI agent

Claude, Cursor, ChatGPT — over MCP

emisar cloud

Catalog, policy, approvals, audit

Runner

On your host, dials out

Every request passes five gates.

One real action — halting writes after a CSI driver reformatted a live volume — traced through all five, with the actual payload at each step.

  1. 01

    The agent asks for one declared action

    No shell, ever. The model calls one MCP tool with typed arguments, a target runner, and a required reason — it can only request what's in the catalog.

    {
      "method": "tools/call",
      "params": {
        "name": "nomad.alloc_stop",
        "arguments": {
          "alloc": "a1b2c3d4",
          "reason": "CSI reformatted a live LUN — halt writes",
          "runners": ["nomad-hvn03"]
        }
      }
    }
  2. 02

    The pack hash and arguments are checked

    The action must come from a trusted, content-addressed pack — a changed hash blocks dispatch until an admin re-trusts it — and every argument is validated against the declared schema.

    pack    nomad@8f34c2e9…   trusted ✓
    alloc   "a1b2c3d4"         ✓  matches /^[a-z0-9-]+$/
    reason  present            ✓  required
    runner  nomad-hvn03        ✓  in your scope
  3. 03

    Policy returns allow, approval, or deny

    Risk-tier defaults plus ordered per-action overrides decide. Reads usually run free; this mutating action stops for a one-click human approval — recorded as its own audit event.

    {
      "event_type": "action_run.pending_approval",
      "action_id": "nomad.alloc_stop",
      "policy_decision": "require_approval",
      "matched_rules": ["nomad.* → require approval"]
    }
  4. 04

    The runner re-validates and executes

    The outbound-only runner owns execution. It recomputes the pack hash and re-validates the arguments on the host, then runs the command and redacts secrets before any output leaves the machine.

    runner nomad-hvn03  receives run_action  request=7c2a9f…
      pack hash 8f34c2e9…   recomputed on the host  ✓
      arguments             re-validated            ✓
      exec  nomad alloc stop a1b2c3d4
      exit 0  ·  0.38s  ·  stdout redacted before egress
  5. 05

    The audit makes it recoverable

    Every step lands in a SHA-256 hash-chained journal on the host (and the searchable cloud audit). Each line carries the previous line's hash, so any edit or gap is caught by emisar audit verify — and the whole thing streams to your SIEM as NDJSON.

    {
      "event_id": "01JZ8F2K…",
      "event_type": "execution_completed",
      "action_id": "nomad.alloc_stop",
      "request": { "reason": "CSI reformatted a live LUN — halt writes", "args_sha256": "5e8c1f…" },
      "execution": { "exit_code": 0 },
      "prev_hash": "9a72d4…"
    }

And the host keeps the last word, even against a compromised cloud

Run your first gated action in five minutes.

Install the runner, point your agent at the catalog, and watch a request walk the five gates.

Three runners. Seven-day audit. No credit card.