Control & Provenance
The layer a request-scoped proxy can't reach: CloudVera sees the agent's decision loop across a whole session, not one request at a time. A typed execution-provenance graph is the substrate; detection and enforcement are built on top.
Features
Execution Provenance
GET /api/ai-gateway/agents/:agentId/sessions/:sessionId/provenance returns a typed graph of the session β prompt, tool_call, retrieval, egress, and event nodes, linked by sequence / caused_by / evidence_for edges. It shows what the agent did, in order, which retrieval was evidence for which tool call, and where an injected instruction entered.
Lethal-Trifecta Detection
An agent is exploitable when one session combines all three legs β untrusted content ingested, private/sensitive data access, and an external egress path. Each is fine alone; the combination enables exfiltration. CloudVera flags the combination (a cross-tool-call correlation) and records a critical security event (β violation) β surfaced in the Session Forensics view with per-leg evidence.
Inline MCP Proxy
Point an MCP client at POST /api/ai-gateway/mcp-proxy/:serverId (auth with a cvk_ or cva_ key). CloudVera screens each JSON-RPC message ON THE WIRE β blocking blocked, injection-flagged, or non-allowlisted servers (and, once a server's tools have been catalogued, tools outside that scanned set), and masking PII in tool arguments before egress β then forwards to the registered MCP server. True inline enforcement a non-SDK client can't bypass.
Delegation-Chain Enforcement
For multi-agent calls, pass the who-delegated-to-whom chain (X-Delegation-Chain header or the SDK). CloudVera enforces a delegation-depth bound and holder-side scope attenuation β a sub-agent can't be handed authority its delegator didn't hold, and the invoked tool must be within the final delegated scope β which the transport-level OAuth/bearer auth can't see.