Project Fulcrum
The AI agent that doesn't hold your keys. Identity-less by default.
Secure cross-domain security auditing with Auth0 Token Vault, Fine-Grained Authorization (FGA), and CIBA human-in-the-loop approval for high-stakes actions.
The Problem with Traditional AI Agents
Most AI agents hold admin keys in .env files with excessive agency. One prompt injection = catastrophic damage.
GITHUB_TOKEN=ghp_xxxxPermanent admin tokens in .env files
agent.execute("delete all repos")Agent executes without permission checks
// No audit trailNo visibility into what agent actually did
The Auth0 Security Trinity
Fulcrum uses three Auth0 services to create a zero-trust architecture where the agent never holds permanent credentials.
Token Vault
Your OAuth tokens (GitHub, Jira, Slack) are securely stored in Auth0's Token Vault. The agent only receives short-lived, scoped proxy tokens.
// Agent never sees this
GITHUB_TOKEN=ghp_xxx...
// Agent gets this instead
token = vault.getToken({
scopes: ['repo:read'],
ttl: '5m'
})Fine-Grained Authorization
Every action is validated against permission rules before execution. If the relationship doesn't exist, the agent cannot act.
// Before EVERY tool call
const allowed = await fga.check({
user: 'user:alice',
relation: 'can_execute',
object: 'action:github_merge'
});
if (!allowed) throw DENIED;CIBA (Human Approval)
High-stakes actions (delete, merge, modify) pause and send a push notification to your phone. Biometric approval required to proceed.
// Level 5 actions pause here
await ciba.initiate({
userId: session.userId,
bindingMessage:
"Fulcrum wants to delete
branch: main"
});
// Agent waits for approval...What Fulcrum Can Do
Secure multi-service orchestration across your developer tools
GitHub Integration
- List and analyze repositories
- Manage branches (Level 5)
- Scan for exposed secrets
- Create issues and PRs
Jira Integration
- List projects and issues
- Create security issues
- Search with JQL queries
- Update issue status
Slack Integration
- List channels
- Send security alerts
- Notify on vulnerabilities
- Coordinate with teams
Action Risk Levels
Every tool has an assigned risk level. Level 5 actions always require CIBA approval.
| Level | Risk | Example Actions | CIBA Required |
|---|---|---|---|
| 1 | Read-only | List repos, get issue details, view projects | No |
| 2 | Safe scan | Scan for secrets, analyze code | No |
| 3 | Create | Create issues, send Slack messages | No |
| 4 | Modify | Update issues, create PRs | No |
| 5 | Destructive | Delete branch, merge PR, delete issues | YES |
Ready to Try Zero-Trust AI?
Connect your services and let Fulcrum manage security auditing with full accountability.