◂ invisible.cat No. 09 · The infrastructure issue
The Beamhall logo — a glowing flying saucer beaming down its signature star, above the Beamhall wordmark. A self-hosted application backplane

Agent-built apps.
Infrastructure included.

The backplane for the internal apps your AI agents build — they inherit compute, data, secrets, identity and secure connectivity, instead of wiring it.

beamhall.com · built on MCP · by Positronico
◂ invisible.cat No. 09 · How a beam is built
The inheritance

A beam inherits
its infrastructure.

The agent asks for a capability — a database, a secret, a connection to the ERP — and Beamhall provisions it behind policy, handing back a handle, never the wiring.

AI agent no infra access
intent
Beamhall backplane runtime · data · secrets · identity · connectors
provisions
your beam inherits it all · governed + audited
Runtime A hardened container, re-asserted on every deploy.
Data A managed database — handed back as a key and a file path.
Secrets Write-only. No tool ever reads one back.
Identity End-user authentication — near-term roadmap.
Connectors Secure links to ERP & internal systems — roadmap.

A reliable path, not improvised infrastructure. Beamhall gives the agent one documented tool surface and a built-in knowledge base, so it ships the same known-good, governed way every time — and nothing leaves your environment.

IT decides where apps run. A private VM, a dedicated VPC, or fully on-prem, per workspace. The gateway is the single ingress and egress is default-deny — no security group to misconfigure into accidental public access.

◂ invisible.cat No. 09 · The security brief
Security properties

The agent never
holds a credential.

Agent holds no credentials
Policy Enforcement Point hash-chained · append-only audit the credential boundary
Hardened workspace runc / gVisor · default-deny egress

No raw credential reaches the agent

No get_secret tool; set_secret is write-only; create_database returns a key and a file path, never a connection string.

One audited policy point

Every action passes a single Policy Enforcement Point and is recorded on a hash-chained, append-only audit log, verified at boot.

Immutable hardening baseline

cap-drop ALL, no-new-privileges, read-only rootfs, seccomp + AppArmor, cgroup v2 ceilings, userns-remap — chosen by IT, re-asserted every deploy.

Default-deny egress

A per-workspace bridge with an always-deny set: cloud metadata, link-local, host, management subnet. The agent has no tool to widen it.

Stronger isolation on demand

Flip one field to run under gVisor (runsc), a userspace kernel — no KVM required. A Firecracker microVM tier is the documented upgrade path.

Proven, not asserted

A negative-security suite (TestAgentCannot) makes a builder holding every scope try to read secrets, escape, and exfiltrate — and proves each attempt fails.

Status

Build
Go 1.26+
Protocol
MCP
Isolation
runc · gVisor runsc
Release
v0.4.0 · pre-1.0
License
Apache-2.0