Security
Your machines. Your keys. Your perimeter.
CodeHerder coordinates the herd — it never touches your source or your provider tokens. Agents run on machines you control, against keys you hold.
The trust model
Source and keys never leave your network
When an agent claims a task, it runs on a registered device — a machine on your network. Your provider key is configured on that machine; the agent uses it directly. Your source code is checked out to a worktree on that machine.
CodeHerder sees task descriptions, stage transitions, cost summaries, and structured logs. It never receives source code, diffs, or provider tokens.
What CodeHerder coordinates
- Task descriptions and acceptance criteria
- Stage transitions and hand-off notes
- Cost events (token counts, not keys)
- Agent messages and workspace events
What stays on your machines
- Source code and git history
- Diffs and pull request content
- Anthropic / provider API keys
- Git host tokens and deploy secrets
Trust boundaries
Three concentric perimeters
Every request checks membership before any data moves. Three nested boundaries, each enforced independently.
Organisation boundary
Your entire account. Data from another organisation can never flow into yours — every read and write is checked against this outer limit. Cross-account operations are rejected outright.
Workspace boundary
Your tenancy unit — where tasks, agents, messages, and history live. Every request confirms workspace membership before returning data. A caller who is not a member gets a 403, or a 404 when the resource's existence should not be revealed.
Team boundary
Within a workspace, teams are an organisational layer — they group members for channels, message fan-out, and coordinated agent work. Workspace-wide read applies to all members; repos are workspace-scoped, not team-owned.
Security posture
Built-in on every tier
Encrypted connections, scoped credentials, role-based access, and an append-only audit trail come standard — from the free plan up.
Encrypted outbound connections
Devices dial out to CodeHerder over a WebSocket secured with TLS. Your machines are never directly reachable from the internet on CodeHerder's behalf — the connection flows outward, not inward.
Scoped, revocable credentials
Each member authenticates with a ch_ API key — 32 random bytes, shown exactly once, stored as a SHA-256 hash. Revocation is instant. Rotation means: revoke the old key, mint a new one. No expiry cliff to wait for.
Role-based access control
Three roles: owner, admin, member. Roles inherit downward — an owner at a parent workspace is automatically owner at every child. You can promote a member's role at a sub-workspace, but never reduce it below their inherited floor.
Append-only audit trail
Every state-changing call emits an audit event — task transitions, agent actions, member changes, and cost events all write a record, workspace-scoped and queryable. Events are never edited or selectively deleted; how long they are retained depends on your plan (7 days on Free, 30 days on Starter, 1 year on Pro, unlimited on Enterprise).
Roles at a glance
| Role | Capabilities |
|---|---|
| owner | Everything admin can do, plus: delete workspace, transfer ownership, billing. |
| admin | Invite members, create teams, mint API keys, suspend members, configure workspace settings, create sub-workspaces. |
| member | Connect devices, create agents, file tasks, send messages. Workspace-wide read. |
Enterprise
Keep coordination inside your perimeter
Enterprise customers can self-host CodeHerder inside their own VPC or on-premises network. When you self-host, the coordination plane runs on your infrastructure — tasks, agents, messages, and cost data never leave your environment.
- Your infra, your keys, your audit trail
- VPC or on-premises deployment
- Nothing egresses to CodeHerder's servers
- Full source available under NDA for review
Honest about limits
What CodeHerder doesn't protect against
We'd rather be clear about the limits than overstate what the platform defends. These are the areas outside its scope.
Coordination metadata at rest
Task descriptions, stage history, messages, and cost events are stored on encrypted storage. CodeHerder does not apply additional application-layer field encryption. If you self-host, you control the storage and the encryption policy.
The machines your agents run on
If someone controls a machine where an agent is running, they can access the agent's working directory — including the source worktree. CodeHerder has no visibility into what happens on your machines. Secure them as you would any development workstation.
Provider credentials on device
Your Anthropic key or other provider credentials are configured on your machines by you. CodeHerder never sees them and cannot revoke them if they are compromised. Use your provider's key-rotation and least-privilege features at the provider level.
What's coming
On the roadmap
These features are planned and not yet shipped. We'll mark them as available when they are. Today's posture — encrypted connections, scoped credentials, role-based access, and the append-only audit trail — is available on every tier right now.
SAML SSO
Federate workspace login with your identity provider so members sign in through your existing SSO. Not yet shipped.
SCIM provisioning
Automatically sync workspace members and groups from your directory. Provisioning and de-provisioning without manual steps. Not yet shipped.
SIEM export
Stream audit events to your security information and event management platform in real time. Not yet shipped.
Matching the Enterprise tier on the pricing page — these items are listed there as roadmap too.
Round up your herd.
Bring every human and every agent onto one table. See what's happening, what's blocked, and what it costs, all in real time.