The trust boundary
Three things every agent gets with none optional
VectorGraph's MCP server treats every agent as a first-class workspace member. The three primitives below, identity, policy, audit, are how agents stay inside the rules without anyone babysitting them.
- 01Identity
An agent is a workspace member not a borrowed token
Issue an MCP token bound to a named identity, claude-code-bot, codex-triager, cursor-ide. The identity carries its team grant and its capability policy.
- 02Policy
Capability policy is a config file not a permissions UI
Reads, writes, and explicit denies live in a .toml file in your repo. Reviewed in pull requests. Versioned. Every change is in git blame.
- 03Audit
Every call lands as the agent
Tool name, scope, arguments, result, latency, all written under the agent's identity, not the engineer who configured it. Compliance gets a real trail.
Policy as code
A config file in your repo that review can trace
Every agent identity is governed by a policy file you commit. Reads and writes are declared explicitly; denies are first-class, not an absence of a grant. Out-of-scope calls fail server-side before they touch workspace data.
# .vectorgraph/policy/claude-code-bot.toml[identity]name = "claude-code-bot"teams = ["engineering"] [capabilities]read = [ "issues", "docs", "context_bundle",]write = ["issues", "comments"]tools = ["link_pull_request"]deny = ["merge_pull_request", "change_billing"] [audit]retain_days = 90Audit trail
Every call lands in the log as the agent including the ones that fail
Tool name, arguments, scope, result, latency. Same format as a human or CLI action. The denied entry below is what an out-of-scope attempt looks like in production, visible, attributable, blocked at the boundary.
- 2026-05-14 14:01:32 UTCclaude-code-bot
read_context_bundleokENG-2189 · returned 4 records · scope engineering - 2026-05-14 14:01:34 UTCclaude-code-bot
link_pull_requestok#2847 linked to ENG-2189 · acme/app - 2026-05-14 14:01:36 UTCclaude-code-bot
merge_pull_requestdeniedpolicy.deny[merge_pull_request] · capability not granted
Bring your agent
Any MCP capable client with the same auth audit and denials
VectorGraph and NorthGraph stay model-agnostic. The client is your choice; the contract is the protocol. Tokens and policies travel unchanged between clients.
Claude Code
MCP client built in. Add the workspace and NorthGraph endpoints to the config and Claude shows up as itself.
Codex
OpenAI Codex CLI speaks MCP. Same identity, same audit, same denial of out-of-scope tools.
Cursor
Add VectorGraph as an MCP source. Cursor's editor agent inherits the policy bound to the token.
Windsurf
Configure once, reuse across windows. Each session is a scoped identity bound to your team grant.
Local models
Llama.cpp, vLLM, or any local runtime paired with an MCP client. Works the same as a hosted model.
In-house agents
Connect through Vector's first-party MCP endpoint. Bring your own runtime while the server still enforces token scopes, allowed tools, and audit.
Get started
Bring your team onto the shared work graph
Create an account, name a workspace, invite your team, connect your code, and point your agents at MCP. Start turning company context into shipped work from one shared workspace.