VectorGraph

MCP server

Agents use MCP without bypassing workspace rules

2MCP endpointsHosted workspace MCP + local NorthGraph MCP, both first-party.
agentsIssue an identity per agent. Each one is auditable on its own.
100%policy-checkedEvery tool call validated server-side against capability policy.
1audit trailCalls land as the agent, not as the engineer who configured it.

The trust boundary

Three things every agent gets with none optional

VectorGraph's MCP server treats every agent as a first-class workspace member. The three primitives below, identity, policy, audit, are how agents stay inside the rules without anyone babysitting them.

  1. 01Identity

    An agent is a workspace member not a borrowed token

    Issue an MCP token bound to a named identity, claude-code-bot, codex-triager, cursor-ide. The identity carries its team grant and its capability policy.

  2. 02Policy

    Capability policy is a config file not a permissions UI

    Reads, writes, and explicit denies live in a .toml file in your repo. Reviewed in pull requests. Versioned. Every change is in git blame.

  3. 03Audit

    Every call lands as the agent

    Tool name, scope, arguments, result, latency, all written under the agent's identity, not the engineer who configured it. Compliance gets a real trail.

Policy as code

A config file in your repo that review can trace

Every agent identity is governed by a policy file you commit. Reads and writes are declared explicitly; denies are first-class, not an absence of a grant. Out-of-scope calls fail server-side before they touch workspace data.

# .vectorgraph/policy/claude-code-bot.toml[identity]name = "claude-code-bot"teams = ["engineering"] [capabilities]read = [ "issues", "docs", "context_bundle",]write = ["issues", "comments"]tools = ["link_pull_request"]deny = ["merge_pull_request", "change_billing"] [audit]retain_days = 90

Audit trail

Every call lands in the log as the agent including the ones that fail

Tool name, arguments, scope, result, latency. Same format as a human or CLI action. The denied entry below is what an out-of-scope attempt looks like in production, visible, attributable, blocked at the boundary.

  1. 2026-05-14 14:01:32 UTCclaude-code-botread_context_bundleokENG-2189 · returned 4 records · scope engineering
  2. 2026-05-14 14:01:34 UTCclaude-code-botlink_pull_requestok#2847 linked to ENG-2189 · acme/app
  3. 2026-05-14 14:01:36 UTCclaude-code-botmerge_pull_requestdeniedpolicy.deny[merge_pull_request] · capability not granted

Bring your agent

Any MCP capable client with the same auth audit and denials

VectorGraph and NorthGraph stay model-agnostic. The client is your choice; the contract is the protocol. Tokens and policies travel unchanged between clients.

  • Claude Code

    MCP client built in. Add the workspace and NorthGraph endpoints to the config and Claude shows up as itself.

  • Codex

    OpenAI Codex CLI speaks MCP. Same identity, same audit, same denial of out-of-scope tools.

  • Cursor

    Add VectorGraph as an MCP source. Cursor's editor agent inherits the policy bound to the token.

  • Windsurf

    Configure once, reuse across windows. Each session is a scoped identity bound to your team grant.

  • Local models

    Llama.cpp, vLLM, or any local runtime paired with an MCP client. Works the same as a hosted model.

  • In-house agents

    Connect through Vector's first-party MCP endpoint. Bring your own runtime while the server still enforces token scopes, allowed tools, and audit.

Get started

Bring your team onto the shared work graph

Create an account, name a workspace, invite your team, connect your code, and point your agents at MCP. Start turning company context into shipped work from one shared workspace.