IP exfiltration
Crown-jewels source in a prompt
RTL, SPICE, netlists, designs, and secrets get pasted into a model — an egress path your DLP never saw, to an endpoint you do not control.
Enterprise · in-VPC
Customer-owned, in-VPC trust perimeter for AI agents
OpenScope is the layer between your AI agents and your real systems. For the enterprise it governs both halves of the agent perimeter — what your agents see (DLP, metering, signed receipts on the way in) and what they do (scoped capabilities on the way out). It runs in your VPC, is source-available, and is structurally unable to read your prompts — a property you can validate, not take on faith.
A coding agent is a new, unaudited egress path.
Cursor, Claude Code, opencode, and Codex are in every engineer's hands — and a prompt is now a way for your most valuable source to leave the building, with nobody watching.
Shadow AI
Tools you didn't sanction
Engineers adopt whatever agent is fastest. Without a sanctioned, governed path, every one of them is a separate, invisible egress.
Blast radius
One privileged action from damage
The same agent that drafts code can also touch production, finance, and admin APIs. One literal, wrong action can be irreversible.
What your agents see
The AI Router — DLP, metering, and receipts at the edge.
Point your engineers' existing agents at an in-VPC gateway. Content-aware DLP blocks proprietary IP, classification and export markers, and secrets before a prompt leaves your perimeter; every call is metered per model and produces a signed receipt.
- Content-class detection for HDL / SPICE / netlists and tapeout streams by their bytes.
- Confidentiality, export-control (ITAR / EAR / ECCN), and foundry / PDK markers.
- Secrets, keys, encrypted-IP pragmas, and PII — with restricted repos deny-by-default.
What your agents do
The action broker — scoped capabilities, not raw power.
On the way out, agents call narrow, named actions — restart_service, publish_build, refund_payment — instead of holding shell, database, or release credentials. Keys and broad permissions stay inside the broker; every call is policy-checked, logged, and gated by human approval where it matters.
Execution containment
No raw primitive
The agent never receives the shell, the production database, or the release pipeline directly.
Key containment
Credentials stay in the broker
Tokens, keys, and broad permissions live in the broker — which runs in your VPC, never on the engineer's device.
Reviewable
Policy & human approval
Action- and parameter-level rules, an append-only audit, and approval gates on the actions that matter.
How it works
From agent intent to a logged, scoped action — in four steps.
The same request lifecycle for every agent in the fleet, running inside your VPC.
Step 1
The agent calls a named action
It runs a scoped command through the CLI — e.g. openscope ssh restart_service — never raw ssh, sudo, or a database credential.
Step 2
The broker checks policy
Default-deny: an allow rule plus exact parameter scope decides whether the call runs. The keys never reach the agent.
Step 3
A scoped executor runs it
The narrow action executes against the real system — SSH, shell, Notes, or HTTP — with credentials held inside the broker.
Step 4
Logged, and stoppable
Every allow and deny is appended to an audit log, and an out-of-band kill switch can halt the fleet on demand.
Customer-owned · validatable
It runs in your perimeter — and you can prove it.
The difference from an edge-hosted gateway: scanning happens on infrastructure you own, source-available, and OpenScope is structurally blind to your content — not because we promise, but because the database refuses the query and the IAM and schema GRANTs show the access never existed. Nothing transits a third party to be scanned.
How it's deployed
Endpoints in your VPC. Nothing privileged on the device.
OpenScope runs as two endpoints inside your perimeter — the AI Router for what agents see, the Action Broker for what agents do. Your engineers' agents stay on their laptops; the credentials and the execution stay in the VPC.
On the device
Only a scoped token
Cursor, Claude Code, opencode, or Codex point at the in-VPC endpoints with a scoped OpenScope token — no model keys, no database credentials, no admin secrets ever land on the laptop.
In the VPC
Credentials and execution
The Router holds the model-provider credentials; the Broker holds the action credentials and runs privileged operations server-side. Everything sensitive stays inside your perimeter.
Blast radius
A lost laptop is a revoked token
Compromise a device and you get a scoped, revocable token — not your crown-jewels credentials. The CLI, where you want it, is a thin client to the central broker: same ergonomics, no vault on the device.
Setup · for IT
How your team rolls it out.
IT stands up the broker in your VPC; guardrails are defined as reviewed proposals, not ad-hoc grants; engineers point their existing agents at it with a scoped token.
1 · IT, in the VPC
Deploy the broker in your perimeter
Run the AI Router and Action Broker as endpoints inside your VPC (containers or systemd). They hold the model and action credentials; engineers' agents get a scoped, revocable token — nothing privileged lands on a laptop.
2 · Security review
Guardrails as reviewed proposals
Targets, policy, and any custom action are a typed proposal: openscope plan reviews it against a root-owned bounds envelope and security applies it. Managed centrally and distributed to devices — not created ad hoc on each machine.
3 · Engineers
Point the agent at the broker
Claude Code, Codex, or Cursor connect with the scoped token and the openscope skill — same ergonomics, no keys on the device. A lost laptop is a revoked token, not your crown jewels.
What your security team sees
Real-time audit, per-model spend, signed receipts.
Every coding-agent call streams to a live SOC view — decision, DLP rule, model, tokens, cost — with blocks surfaced as alerts and the prompt body never present. Spend is metered per model; each call is Ed25519-signed so finance and security reconcile without reading a prompt.
