Code Press Logo
CodePress · Security BriefVol. I — 2026

Secure AI agentsfor teams that get realwork done.

CodePress was built for teams that want agents doing meaningful work without giving them unlimited reach. The agent works from approved repositories and integrations, protects the credentials behind those connections, and keeps important approval moments visible as work moves from request to result.

Read the briefTalk to security →
§

Security for AI agents is not one promise. It is a set of practical limits: what the agent can see, what it can change, what it can send or publish, who approves the result, and what record remains afterward.

CodePress is designed around those limits. Agents get enough access to be useful, but not a standing invitation to every company system. Credentials are protected, sensitive outputs stay reviewable, and each session leaves evidence your team can inspect.

The guardrails/in plain English.

Work
Agents operate inside a bounded session with the repositories, integrations, and context needed for the task.
The agent can move real work forward without inheriting every permission an employee has.
Credentials
Secrets are encrypted and used through approved connections instead of being pasted into prompts.
The agent can take an approved action without learning the raw token behind it.
Outputs
Code changes go through pull requests by default, and other sensitive outputs keep visible approval points.
A bad result should be something your team can inspect, revise, or reject before it matters.
Tools
Agents can use only the repositories and integrations your team has connected.
Access is intentional, reviewable, and removable when your team changes its mind.
People
Organization roles decide who can connect tools, share credentials, publish changes, and approve sensitive work.
Security decisions stay with your team instead of being buried inside an agent run.
Customers
Company workspaces, sessions, and access checks keep customer data separated.
One organization's work is not mixed into another organization's agent session.
Evidence
Session history, tool results, and GitHub records show what the agent was asked to do and what changed.
Your team can review agent work after the fact instead of relying on memory or screenshots.

Eight practical limits that lower agent risk.

These are the controls a team evaluating agent security should care about: access is intentional, secrets are protected, important outputs are reviewable, and the work is recorded.

The agent starts with a bounded job

CodePress agents are launched for a specific piece of work inside a dedicated workspace. They are not given a blank check to roam across every company system.

  • Each session is tied to one organization, one user context, and the work being requested.
  • The agent receives the repositories, tools, and context needed for that job.
  • It does not automatically inherit everything an employee can access.
  • Long-running work is tracked as a session instead of disappearing into a black box.

Tools are connected deliberately

CodePress only works with repositories and integrations your team has connected. Admins decide what is available, who can use it, and when a connection should be removed.

  • You choose which GitHub organizations and repositories CodePress can see.
  • Integrations are opt-in, not scraped from someone's active browser session.
  • Shared credentials have explicit sharing controls.
  • Personal and team connections can be separated when the workflow requires it.

Secrets stay behind controlled connections

Agents can use approved connections without being handed the raw passwords, API keys, or OAuth tokens behind them.

  • Connected-tool credentials are encrypted before storage.
  • Sensitive keys are resolved by CodePress services instead of pasted into prompts.
  • Model-provider keys stay behind CodePress's gateway.
  • Credentials can be revoked or reconnected without retraining users on a new process.

Important outputs stay reviewable

When the work produces a code change, CodePress opens a branch and pull request. For other connected workflows, the same principle applies: the agent does the work, and your team keeps the approval moment.

  • The default code path is a pull request, not a silent production change.
  • Reviewers can inspect, comment, reject, or merge the work just like a human-authored PR.
  • CI still runs before code lands.
  • For non-code work, approvals stay visible instead of being buried inside the agent run.
  • Visual edits from the browser follow the same delivery model.

GitHub access follows GitHub's own boundaries

CodePress connects through a GitHub App, not a broad personal access token. Access is tied to the organizations and repositories you approve.

  • You choose which repositories CodePress can work with.
  • GitHub tokens are temporary and scoped to the installation.
  • You do not need to give CodePress a full-account personal token.
  • GitHub's own audit and permission model stays in the loop.

Company data is separated

A CodePress agent working for your organization does not share a code workspace with another customer. Product access checks are enforced before data is returned to users or agent tools.

  • Customer workspaces are separated by organization.
  • Agent sessions are tied back to a specific company and user.
  • Agents go through CodePress's permission layer instead of querying customer data directly.
  • Organization membership is checked before showing projects, chats, repositories, or integrations.

Risky moments require human intent

The goal is not to let an agent freely click around your business. It is to let the agent carry work forward while keeping approval moments visible.

  • The agent can pause and ask before ambiguous or destructive decisions.
  • Production publishing requires the right CodePress role.
  • Merging code, publishing work, and sharing sensitive outputs stay with your team.
  • Admins decide which integrations are available and how credentials can be shared.

Every session leaves evidence

Security teams do not have to guess what the agent did. CodePress keeps a session history with messages, actions, tool results, and delivered work.

  • Chats and agent steps are preserved with timestamps.
  • Pull requests and merges appear in GitHub's history when code changes are involved.
  • You can review what the agent was asked to do and what it actually did.
  • Operational metadata helps us investigate incidents or unusual behavior.

What security teams ask first.

Short, direct answers. If your team needs more detail on any of these, we'll happily get on a call.

01

Can the agent see everything in our company?

No. A session starts with the organization, user context, repository, and connected tools needed for the job. CodePress checks organization membership and integration access before returning customer data to users or agent tools.

02

Can it change production without us noticing?

No. For code, the default path is a pull request: your team reviews the diff, CI runs, branch protections apply, and merging stays in your hands. Other publishing or external-send actions are reserved for explicit workflows where your organization has chosen that behavior.

03

Can the agent see our passwords, API keys, or OAuth tokens?

The agent can use approved connections without being handed the raw secret behind them. Credentials are encrypted before storage and resolved through CodePress-controlled paths when a tool needs to act.

04

Is this like giving an AI control of my browser?

No. Your browser is the chat, review, and approval surface. CodePress agent work runs in a separate workspace built for the task, so it does not inherit your open tabs, cookies, desktop files, or personal browsing session.

05

How is GitHub access controlled?

CodePress uses a GitHub App. Your team chooses which organizations and repositories to connect, installation tokens are scoped and temporary, and GitHub's permission and audit model remains part of the workflow.

06

What happens if an agent produces the wrong result?

You can inspect the work, ask for a revision, reject it, or stop the session. When the result is code, that usually happens in a pull request. The important part is that meaningful output is visible before it ships, publishes, or gets treated as final.

07

How do we review what the agent did?

CodePress preserves the chat, agent steps, tool results, and delivery history. For code changes, GitHub also keeps the pull request, review, commit, and merge trail.

08

Can we get a SOC 2 report or sign a custom DPA?

We're working through formal compliance attestations. In the meantime, reach out and we'll share the deeper security materials we have today, including architecture notes, data-flow details, and answers for your review process.

Want the deeper dive?

We're happy to walk your security team through the practical model: what the agent can see, what it cannot see, how tool access works, and how important outputs get reviewed.

Talk to securityStart a free trial