Security Architecture Whitepaper
The Secure Agent Runtime
Zero Trust Orchestration for Regulated Enterprises
Classification: PUBLIC / TECHNICAL
Audience: Enterprise Security Operations (SecOps), GRC, and Network Architecture Teams
1. Executive Summary
The rapid adoption of “Agentic AI” in the enterprise has historically been blocked by a fundamental security paradox: to be useful, agents need access to internal data; to be secure, internal data must not be exposed to external cloud providers.
CodeTether resolves this conflict through Inversion of Control.
Unlike traditional SaaS integration models that require opening inbound firewall ports or establishing persistent VPN tunnels, CodeTether utilizes a Distributed Worker Architecture. We do not ask you to send your data to our cloud. Instead, you deploy our ephemeral runtime—the CodeTether Worker—inside your secure perimeter.
This architecture ensures that CodeTether operates with the same security profile as a standard CI/CD runner (e.g., Jenkins or GitHub Actions). It requires zero inbound ports, maintains strict data residency via “Data Gravity,” and provides immutable audit trails for every agent action.
2. The Architecture of Trust
CodeTether enforces a strict logical and physical separation between the Control Plane (managed by CodeTether SaaS) and the Data Plane (managed by the Customer). This separation creates a “Logic Air Gap.”
Control Plane (SaaS)
Hosted in our SOC 2 Type II compliant environment
- Signal Routing: Managing the queue of abstract tasks
- Identity Provider: Centralized OIDC via Keycloak
- Telemetry: Aggregating metadata only
Security Guarantee: The Control Plane is not in the inference data path and is designed to operate on metadata (task state, routing, audit events) rather than prompt payloads.
Data Plane (Customer VPC)
Runs within your secure VPC as a containerized workload
- Execution: Running actual logic locally
- Tool Access: Interfacing via MCP
- Data Handling: Sensitive payloads are handled on the Worker; optional model calls go directly to your approved model tenant using your keys
Impact: Even if the Control Plane were fully compromised, attackers would have no access to your credentials or source code.
3. Network Security: Reverse-Polling
The primary objection to external integrations is the “Firewall Objection”—the risk associated with opening inbound ports. CodeTether eliminates this risk entirely.
Outbound-Only Architecture
No Inbound Ports
Worker rejects all unsolicited inbound traffic
HTTPS Only (TCP/443)
Standard outbound traffic pattern
SSE & Long-Polling
Worker asks: “Are there tasks for me?”
TLS 1.3 Encryption
Strong cipher suites, no legacy SSL
Firewall Configuration
| Direction | Destination | Port | Protocol |
|---|---|---|---|
| Outbound | api.codetether.run | 443 | HTTPS |
No Site-to-Site VPNs, Bastion hosts, or DMZ exceptions required.
4. Data Residency: The “Data Gravity” Principle
Regulated industries cannot afford to stream proprietary code or customer PII to an external vendor. CodeTether adheres to strict Data Gravity principles: logic moves to the data; data does not move to the logic.
Local Processing
- →Tools and sensitive context run on Workers inside your environment
- →Only metadata is required by the Control Plane (status, routing, audit events)
- →Optional centralized logs are configurable; you decide what is retained and where
Pre-Flight Redaction
- →Worker acts as the policy enforcement point before any external inference call
- →Regex/NLP filters scrub sensitive entities
- →PII redacted before direct-to-tenant inference API calls (e.g., Azure OpenAI)
5. Identity & Governance: RBAC & MCP
In a Zero Trust architecture, identity is the new perimeter. CodeTether leverages Keycloak for enterprise-grade Identity and Access Management (IAM).
Fine-Grained RBAC
We treat Agents as non-human identities with strict permissions.
- Identity Separation: A “Test Agent” is cryptographically distinct from a “Deploy Agent”
- Role Scoping: Test Agent can read DB; only Deploy Agent can write
MCP as a Policy Layer
The Model Context Protocol allows security teams to wrap “Policy Layers” around tool access.
Scenario: An agent wants to run a SQL query.
Policy Enforcement: The MCP server enforces “Read-Only” policy. If the agent attempts a DROP TABLE command, the MCP layer blocks it locally. The command never reaches the database.
Immutable Audit Logging
Every action is logged and exportable to your SIEM (Splunk, Datadog):
6. Supply Chain Security
To ensure the integrity of software running inside your perimeter:
Signed Images
All Docker images cryptographically signed. Verify via admission controllers.
Minimal Base
Distroless or minimal Alpine bases to reduce attack surface.
SBOM Available
Software Bill of Materials for every release with all dependencies.
7. Compliance Frameworks
HIPAA
PHI stays in your VPC. BAA available.
SOC 2 Type II
Control Plane maintains certification.
PCI-DSS
Cardholder data stays under your control; enforce egress policy at the Worker.
FedRAMP
Self-hosted, air-gap compatible.
8. Conclusion
CodeTether transforms the AI Agent from a “Black Box” security risk into a managed, observable, and policy-governed IT asset. By decoupling the Control Plane from the Execution Plane, we allow regulated enterprises to innovate with AI agents without compromising their security posture.
The “Runner” Analogy
“It works exactly like a GitHub Action runner. It sits in your VPC, polls for work on port 443, does the work locally, and reports the status. No inbound ports.”
Ready to Secure Your AI Workflows?
Schedule a Security Architecture Review with our team.