BLOG

Field notes on running agents.

How we build, secure, and run a fleet of self-hosted AI agents.

Engineering

Securing Coding Agents in CI/CD: Practical Baseline

Securing coding agents in CI/CD starts with one rule: treat untrusted GitHub content as hostile, then limit secrets, tokens, network, and write access.

Engineering

AI Code Review Agent: Evaluation Guide for PRs

An AI code review agent should be evaluated as a governed PR workflow, not a comment bot. Compare signal, cost, permissions, context, and human review impact.

Engineering

Credential Proxy for AI Agents Without Secret Exposure

A credential proxy for AI agents lets agents call private repos, APIs, CLIs, and MCP tools without exposing raw secrets to runtimes, prompts, or logs.

Engineering

Agent Harness for Coding Agents: Runtime Architecture

An agent harness for coding agents controls sandboxes, state, permissions, tool execution, review flow, lifecycle, and cleanup around safe AI coding work.

Engineering

AI agent observability for safe coding agent rollouts

AI agent observability for coding agents: trace runs, commands, diffs, tests, costs, approvals, and risky side effects before code reaches production.

Engineering

Long-running background AI agents need durable workers

Long-running background AI agents need durable workers, queues, checkpoints, approvals, sandboxing, cost caps, observability, PR review, and control.

Engineering

Persistent AI Agent Workspace Architecture Guide

Design a persistent AI agent workspace with durable files, sandbox snapshots, memory boundaries, rollback, tenant isolation, and clear retention policy.

Engineering

Self-hosted coding agent runtime: build, buy, operate

A self-hosted coding agent runtime gives policy control and data residency, but shifts sandboxing, secrets, audit, cleanup, and capacity to your team.

Engineering

Production Workflows for AI Coding Agents That Scale

Production workflows for AI coding agents need isolated workspaces, reviewable diffs, CI controls, protected merge gates, and accountable human ownership.

Engineering

MCP vs function calling: Practical architecture guide

MCP vs function calling explained for engineers choosing between direct tool calls, MCP servers, runtime discovery, auth boundaries, latency, and reuse.

Engineering

MCP Security for AI Agents: Production Controls

MCP security for AI agents needs token audience checks, sandboxed tools, schema pinning, approval UX, egress limits, and clear incident-ready audit trails.

Engineering

AI Agent Sandboxing: Secure Coding Agent Controls

AI agent sandboxing helps security leaders control source access, secrets, network egress, and coding agent execution risk before agents touch private code.