Security & Governance
Governance is visible, not buried.
ContextECF is designed for enterprise teams that need to prove what an AI agent saw, what it was allowed to do, and what it actually did.
Tenant isolation
Tenant identity is derived from authenticated context, never from request body or headers. Tenant-boundary denial is verified in the synthetic test lane.
Permission mirroring
Users only see context they are already entitled to in the underlying systems of record. The Fabric does not elevate scope.
Application-print to scope
Every connector scope must be justified by a Mode application print explaining which evidence or action requires it, and whether it is read-only or write-capable.
Approval-first writes
Write-like actions show blast radius, destination, reversibility, and policy. Release 1 keeps sync-back to draft or approval-gated mutations.
Generated tool allowlists
AI-generated tools require explicit Mode allowlists with certification evidence before they can be invoked inside a Mode.
Immutable receipts
Every governed action emits a Shadow Ledger receipt with deterministic hash, approval state, sync-back target, and supporting evidence.
Federated canopy deployment
Run the Fabric inside your data plane.
Design partners deploy ContextECF into a customer-controlled environment with an IP-protected starter package, entitlement gates, and a clear upgrade and rollback path.
- Customer-controlled data plane inside the federated canopy.
- Marketplace or BYOC control-plane options for early adopters.
- IP-protected starter package distributed as a signed ZIP.
- 180-day entitlement trial with key required to continue.
- Support-safe evidence bundle for incident triage without raw payloads.
- Synthetic demo lane is isolated from any customer connector data.
- No customer data is used for model training.
Walk your enterprise into the Fabric.
We are onboarding a small number of design partners to validate Release 1 in their own federated canopy.