AI agents can do real work. They just can't be trusted with real credentials.
Why Now
two things happened at the same time.
AI agents started calling production APIs. MCP became a Linux Foundation standard with 13,000+ servers and 97 million monthly SDK downloads. Every serious enterprise is deploying autonomous agents into real infrastructure.
The question is no longer “can agents do useful work?” The question is: can you prove what they did, why, and whether they should have?
Meanwhile, the biggest SaaS platform in the world proved its trust model is broken. The ShinyHunters breach cascaded across 700+ companies through Salesforce integration boundaries — the same credential-passing architecture every platform relies on.
The execution layer is gone. The trust model is broken. And every company deploying AI agents just discovered they have the exact same problem.
Three Planes. One Architecture.
Security isn't a layer you bolt on. It's the substrate everything else is built from.
Context Plane
Kantext — the Meaning∘Data substrate. Context fused into data at every point, not bolted on as metadata. Every value has provenance. Every change is tracked. Composable, git-grounded, cryptographically sealed at ~20MB/s.
Execution Plane
WASM and sandboxed Python modules define intent; the host executes capability. Plugins cannot see credentials — they request actions through a host-function barrier. There is nothing to steal.
Mediation Plane
The MCP Gateway — a zero-trust chokepoint where every tool invocation is identity-verified, risk-classified, policy-evaluated, and recorded to a tamper-evident audit chain.
The Difference
Everyone else builds better locks.
We built the building.
Credential Isolation
The plugin defines the intent. The host executes the capability. The credential never enters the sandbox memory space. The class of attack behind ShinyHunters becomes architecturally impossible.
Immutable Audit
Every execution produces a chain of content-addressed, cryptographically sealed frames. Modify one byte and the entire chain invalidates. This isn't a log file. It's a proof.
Provenance at Every Point
Every value in the system knows where it came from, who put it there, and when. Not metadata bolted onto mutable state — provenance encoded into the substrate itself.
In Practice
what this means for you.
Open Source
real releases. install them now.
The ecosystem is being built in the open.
Snowfakery MCP
v0.0.5AI-powered test data generation. Connect Snowfakery to Claude, ChatGPT, and other assistants through the Model Context Protocol. Draft, validate, and run data recipes through natural language.
pipx install snowfakery-mcpBusbar SF API
v0.1.0A comprehensive Rust client for the Salesforce platform. Six modular crates covering REST, Tooling, Bulk, and Metadata APIs with full OAuth 2.0 and JWT Bearer authentication.
cargo add busbar-sf-apiThe Builder
Jason Lantz
One of two founding product team members at Salesforce.org. Sr. Director of Release Engineering at Salesforce Industries. Built CumulusCI — the automation platform behind 200,000+ Salesforce deployments.
In September 2024, he published a series of blog posts demonstrating exact credential vulnerabilities in the Salesforce ecosystem. Eleven months later, the ShinyHunters breach exploited the same attack vector across 700+ companies.
Left Salesforce to build what comes next.
The full story →Let's talk about your trust problem.
Whether you're deploying AI agents into production, navigating the Salesforce platform shift, or building the next generation of enterprise automation — the architecture matters. Let's talk.