01
Task created
A developer creates a task in the portal (or via Jira sync). The task describes what code change is needed and which files are in scope.
// Security
How CodieDev protects your code, infrastructure, and data.
You're trusting an AI agent to write code in your codebase. This page explains exactly how that works — what the agent can and can't do, where your code goes, and the guardrails we built to keep your systems safe.
// How It Works
The lifecycle of a task — from creation to merge.
Understanding the architecture is the fastest way to evaluate our security posture. Here's what happens when a task runs.
02
Ephemeral sandbox spins up
A fresh, isolated container is created on Modal. The repo is cloned using a short-lived GitHub App installation token. No persistent state carries over from previous tasks.
03
Agent works in isolation
The AI agent edits code inside the sandbox. File-level permission controls restrict which files it can modify. A secondary scope enforcer reverts any out-of-scope changes before push.
04
Quality gates run
Lint, typecheck, and build checks execute inside the sandbox. Baseline diffing ensures pre-existing failures aren't attributed to the agent. An LLM judge reviews the diff against the original task intent.
05
PR opened, sandbox destroyed
The agent pushes a feature branch and opens a pull request. The container and all local data are destroyed. Only the diff is stored in the portal for review.
06
Human reviews and merges
A team member reviews the PR in GitHub or the CodieDev portal (diff viewer, before/after screenshots, AI report). Nothing merges without explicit human approval.
// Guardrails
What the agent can't do.
These aren't policies — they're architectural constraints enforced in code.
Isolation
Sandboxed execution
Every task runs in its own ephemeral Modal container. The agent has no network access to your production infrastructure, no SSH keys, and no database credentials. When the task finishes, the container is destroyed — no state persists between runs.
Scope control
Double-layer file scope enforcement
Primary layer: the agent's tool permissions restrict file edits to only the paths specified in the task. Secondary layer: a post-execution scope enforcer scans all changed files and reverts anything outside the allowed set. The agent literally cannot ship changes to files it wasn't told to touch.
Branch protection
Never touches main
The agent works exclusively on feature branches. It cannot push to main, cannot merge PRs, and cannot trigger deployments. Every change goes through a pull request that requires human approval before merging.
Validation
Automated quality gates
Before anything is pushed, the sandbox runs your project's lint, typecheck, and build checks. Baseline diffing captures pre-existing failures so the agent is only held to regressions it introduced. An independent LLM judge then reviews the diff against the original task intent.
Least privilege
Scoped GitHub App tokens
CodieDev connects via a GitHub App with only contents:write and pull_requests:write permissions. Installation tokens are short-lived and scoped to the specific repositories you authorize. No broad personal access tokens.
Data minimization
No source code storage
Your repository is cloned into the ephemeral container and destroyed when the task completes. CodieDev stores only the diff (for the portal diff viewer) and task metadata. Your full source code is never persisted on our infrastructure.
// Data & Access
How your data is isolated and protected.
Organization-level data isolation
Every database query enforces organization membership via auth guards. A user in Company A cannot access tasks, repos, or data belonging to Company B. This is enforced at the query layer, not just the UI.
Role-based access control
Users are assigned roles (admin, member, viewer) within their organization. Admins manage settings and integrations. Members create and review tasks. Viewers have read-only access. Super admin access is restricted to platform operators.
Share tokens are read-only and time-limited
Task share links provide read-only access to a single task. Tokens expire after 7 days. They cannot modify data, access other tasks, or bypass organization boundaries.
Secrets management
API keys and credentials are stored as encrypted secrets in Modal and Cloudflare — never in source code or database records. GitHub App private keys are stored as platform secrets with no application-level access.
// Questions
What CTOs and security teams ask us.
What can the agent access in my codebase?
Only the repositories you explicitly connect via the GitHub App. Within a task, the agent is further restricted to the specific files mentioned in the task scope. It cannot access other repos, other branches, or any infrastructure beyond the sandbox.
Can the agent break production?
No. The agent runs in an isolated container with no access to production systems. It pushes to a feature branch and opens a PR. It cannot merge, deploy, or modify your main branch. All changes require human review and approval.
What if the agent writes bad or insecure code?
Multiple layers catch this: automated lint/typecheck/build checks in the sandbox, an LLM judge that reviews the diff against task intent, and the mandatory human review on the PR. Nothing reaches your main branch without a human approving it.
Where does my code go? Who can see it?
Your code is cloned into an ephemeral container that is destroyed after the task. Only the diff is stored for display in the portal. Your data is isolated to your organization — other customers cannot access it. CodieDev employees do not have routine access to customer code.
What third-party services does CodieDev use?
Convex (database and backend), Modal (sandboxed compute), Cloudflare Workers (API layer), and OpenRouter (LLM API). All are SOC 2 compliant or equivalent. Customer code passes through these services only during active task execution in ephemeral containers.
Can I audit what the agent did?
Yes. Every task has a full event log showing each action the agent took, files modified, checks run, and token usage. The portal provides a diff viewer, before/after screenshots, and an AI-generated summary report. Distributed tracing is available for deeper analysis.