Now in early access

Governed access for agents operating on real systems.

Polycore lets AI agents securely connect to and act on production systems. Gated by human approval, scoped so credentials never leave your infrastructure, logged in one audit trail.

one governed path to production
POLYCORE CLOUDYOUR INFRASTRUCTUREsignedSlackhumansAI agentscodex · claudeWeb appoperatorsPolycorepolicy · approval · auditRunnerholds the credentialsDatabasesAPIsSecrets
The bet

It's time to trust computers.

Agents get more capable every month, and the teams that win will be the ones that let them do real work on real systems. But trust isn't given blindly. It's granted, scoped, and reviewable. Polycore is how you hand growing responsibility to machines without handing over the keys.

How it works

Reads run. Writes wait for a human.

Most requests start where your team already works, like Slack. A read comes straight back. Anything that changes production waits for a human to approve it, right in the thread.

opsReads answer instantly
opsWrites wait for approval

A representative Slack interaction, illustrated. Not a real screenshot.

01

Deploy a runner in your infra

The runner dials Polycore outbound over a single WebSocket. No inbound ports, no god-token sitting on the internet. It holds the scoped credentials and stays where your secrets already live.

02

Expose capabilities, not credentials

Read connectors and blessed actions become a governed catalog. Callers get scoped, revocable capabilities, never the underlying database password or service account key.

03

Callers ask, humans approve

Slack, your agents, and the web app request work. Reads run instantly; mutations pause for a human approval. Every call lands in one audit trail with the approver bound in.

The audit trail

Every request, one record.

Slack, your agents, the web app: whoever asked and whatever ran, it lands in a single log. Who called it, what they ran, where, and whether it was approved or denied. Denied mutations are recorded too, so nothing touches production without a trace.

  • Every read, write, and denial in one place
  • The approver bound to each change
  • Filter by caller, capability, or environment
One audit log · every callerlive
  • workspaces.rename-workspace · prodweb:admin@acme.com
    approved6s ago
  • billing.set-plan · prodslack:U06SX
    approved22s ago
  • firestore.count · prodslack:U2P4K
    ok58s ago
  • billing.set-status · prodcodex:ops
    denied2m ago
  • firestore.query · devclaude:support
    ok5m ago
  • sql.query · prodmcp:reporting-bot
    ok8m ago
Showing 6 of 1,284 events
But can't Claude or Cursor already do this?

Yes. Access was never the hard part.

Point a coding agent at production and yes, it runs your read. It runs your DELETE just as easily, with no second human and no shared record of who did what. Same agent, two ways to connect it:

The credential
A full-power production key lives in the agent's config.
Stays in your infra. The agent gets a short-lived, scoped capability token, never the secret.
Reach
Whatever the key can touch, any prompt can touch in full.
Reads run on connectors that can't mutate, whatever the store: Postgres, Firestore, an internal API.
A hijacked prompt
One poisoned doc or page spends the key on anything.
Reaches only the capabilities you granted, and changes still stop before they run.
Changing prod
The agent decides and executes, unsupervised.
Mutations wait for a human who isn't the caller, then run in your infra under a signed grant.
The record
Each tool's own scrollback, if any.
One audit log across every caller: who asked, what ran, where, who approved.
Every caller
Org-wide MCP just distributes one vendor's tools. It won't scope the key, gate the change, or log what ran.
One policy and one audit across every agent brand and every human, credentials held in your infra.
The catalog is the product

Author an operation once, as typed, source-controlled code. That one catalog is what Claude Code, Codex, and Cursor consume over MCP, what your team runs from Slack, and (coming) an admin dashboard whose UI is generated from each action's types. Your agents never get a database, just a caller's view of a governed catalog. Front doors, not liabilities.

Let your agents do real work.

Give humans and AI the same governed path to production: scoped, approved, and audited.