Use Case

Agent harness for CI/CD Pipelines

Adaptive lets pipelines trigger deploy agents inside private VPCs, on-prem clusters, or air-gapped networks — no inbound ports. Each invocation gets ephemeral cloud credentials scoped to a single release, with every artifact and command signed and traceable. You write the prompts and workflows; Adaptive provides the harness, tools, MCP registry, networking, and guardrails.

harness·h-2841

Adaptive

$adaptive harness h-2841

↳ session opened

✻Welcome to Claude Code

>release PR-412 to staging

⏺ creds: deploy-bot · staging · ttl 20m

⏺ lint · unit · integration green

⏺ sbom generated, signed

⏺ publishing artifact to staging

! perf gate: p95 +8% — deploy held

teardown: credentials revoked

creds: ephemeral

sbom: signed

gates: enforced

The problem

CI/CD pipelines require broad access to cloud resources, container registries, and deployment targets. AI agents in these pipelines inherit these privileges, creating a supply chain risk — a compromised deploy agent can push malicious code to production, modify infrastructure, or exfiltrate secrets from the build environment.

650%

increase in software supply chain attacks over the past three years, many targeting CI/CD systems

82%

of CI/CD pipelines use long-lived credentials that are shared across multiple stages and agents

15min

average time for an attacker to pivot from a compromised CI runner to production infrastructure

CI/CD pipelines are high-value targets because they bridge development and production. Agents in these pipelines need enough access to deploy but must be prevented from persisting access or modifying resources outside the current release.

The solution

Per-release ephemeral credentials with signed artifacts for CI/CD agents

Adaptive provides the harness, tools, MCP registry, networking, and guardrails for every CI/CD agent — ephemeral cloud credentials scoped to a single release, signed artifacts, logged commands, and credentials that expire the moment the deployment completes. You provide the prompts and workflows. The agent runs your release logic inside Exo policy envelope, never outside it.

Benefits

How Adaptive helps

Invoke Agents in Private Environments

CI/CD pipelines invoke deploy agents running inside your VPC, on-prem cluster, or air-gapped environment — no inbound ports, no exposed endpoints. Each invocation is issued ephemeral cloud credentials scoped to the single release it's deploying.

Write the prompts and workflows that drive the agent. Pipelines call into Exo identity-aware control plane; every command the agent runs and every artifact it produces is signed with the release identity and logged for end-to-end traceability.

Per-Release Credentials

Generate unique cloud credentials for each deployment. Credentials are scoped to the specific release, environment, and resource set — no reuse across deployments.

Integrate with your CI/CD platform to automatically provision and revoke credentials per pipeline run. No static secrets in your CI configuration.

Artifact Signing

Every build artifact, container image, and deployment manifest is cryptographically signed with the agent's session identity. Verify provenance at every stage.

Enable artifact signing in your pipeline configuration. Deployment targets can verify signatures before accepting releases.

Deployment Scoping

Restrict deploy agents to specific environments, regions, and resource groups. Prevent agents from deploying to production without the required approval gates.

Define deployment policies per environment — staging agents cannot touch production resources, and production agents require multi-party approval.

Command Traceability

Every command executed during the pipeline is logged with the release context — commit hash, trigger event, approver, and execution environment.

Feed pipeline audit logs into your security monitoring stack for real-time anomaly detection and post-deployment forensics.