Connection lost
Trying to reconnect…
Server didn't respond
Recovering…
How it works
From intent to verified receipt.
An agent never gets a shell. It asks for one declared action, and that request passes five gates before anything happens on your host — and lands in an audit you can verify after.
The shape: nothing listens on your hosts.
The runner dials out to the control plane over an outbound connection. The cloud is the control plane and the durable system of record; your hosts open no inbound port.
Your AI agent
Claude, Cursor, ChatGPT — over MCP
emisar cloud
Catalog, policy, approvals, audit
Runner
On your host, dials out
Every request passes five gates.
One real action — halting writes after a CSI driver reformatted a live volume — traced through all five, with the actual payload at each step.
-
01
The agent asks for one declared action
No shell, ever. The model calls one MCP tool with typed arguments, a target runner, and a required reason — it can only request what's in the catalog.
{ "method": "tools/call", "params": { "name": "nomad.alloc_stop", "arguments": { "alloc": "a1b2c3d4", "reason": "CSI reformatted a live LUN — halt writes", "runners": ["nomad-hvn03"] } } } -
02
The pack hash and arguments are checked
The action must come from a trusted, content-addressed pack — a changed hash blocks dispatch until an admin re-trusts it — and every argument is validated against the declared schema.
pack nomad@8f34c2e9… trusted ✓ alloc "a1b2c3d4" ✓ matches /^[a-z0-9-]+$/ reason present ✓ required runner nomad-hvn03 ✓ in your scope
-
03
Policy returns allow, approval, or deny
Risk-tier defaults plus ordered per-action overrides decide. Reads usually run free; this mutating action stops for a one-click human approval — recorded as its own audit event.
{ "event_type": "action_run.pending_approval", "action_id": "nomad.alloc_stop", "policy_decision": "require_approval", "matched_rules": ["nomad.* → require approval"] } -
04
The runner re-validates and executes
The outbound-only runner owns execution. It recomputes the pack hash and re-validates the arguments on the host, then runs the command and redacts secrets before any output leaves the machine.
runner nomad-hvn03 receives run_action request=7c2a9f… pack hash 8f34c2e9… recomputed on the host ✓ arguments re-validated ✓ exec nomad alloc stop a1b2c3d4 exit 0 · 0.38s · stdout redacted before egress
-
05
The audit makes it recoverable
Every step lands in a SHA-256 hash-chained journal on the host (and the searchable cloud audit). Each line carries the previous line's hash, so any edit or gap is caught by emisar audit verify — and the whole thing streams to your SIEM as NDJSON.
{ "event_id": "01JZ8F2K…", "event_type": "execution_completed", "action_id": "nomad.alloc_stop", "request": { "reason": "CSI reformatted a live LUN — halt writes", "args_sha256": "5e8c1f…" }, "execution": { "exit_code": 0 }, "prev_hash": "9a72d4…" }
And the host keeps the last word, even against a compromised cloud
Run your first gated action in five minutes.
Install the runner, point your agent at the catalog, and watch a request walk the five gates.
Three runners. Seven-day audit. No credit card.