Corla protects two things simultaneously: your intellectual property through a compilation layer that ensures raw assets never cross a trust boundary, and your organisation's integrity through server-side accountability that cannot be bypassed.
Each layer is enforced independently. A compromise at one layer does not cascade to others.
OAuth 2.1 with PKCE — no implicit flows, no long-lived credentials. JWTs with 15-minute default TTL. Every token validated against a Redis revocation list on every single request. Revocation propagates in under 30 seconds via atomic pipeline operation.
Grants are per-developer, per-project, per-role — created explicitly by enterprise admins. Roles carry permission sets and sensitivity ceilings. The policy engine checks grant validity, expiry, project match, and permission scope on every compile request. Instant revocation propagates via session kill.
The setup script appends a Corla behaviour block to CLAUDE.md — the transparent, developer-visible file that Claude Code loads as genuine system context. The report_policy_violation tool is a visible deterrent: the developer knows it exists and knows it fires when extraction is attempted. Packages are HMAC-signed; the adapter verifies the signature before use. Context is in-memory only — never written to disk.
Every MCP call is logged at the broker — this is the ground truth for audit, compliance, and anomaly detection. It does not depend on the AI agent cooperating or the developer not circumventing client-side mechanisms. Input and output are stored as SHA-256 hashes, never as raw content. The audit log is append-only at the database level. Anomaly detection flags unusual access patterns automatically.
Corla's compilation layer is an IP protection mechanism as much as a security one. The distinction matters: access controls can be misconfigured. The compilation guarantee is architectural — the source simply never travels.
A system prompt encoding proprietary domain reasoning. A playbook refined over years of production incidents. An architecture document capturing decisions your best engineers made. These aren't generic documents — they're competitive advantages encoded in text. Corla treats them as such.
Access control says who can read a file. Compilation means the file is never transmitted as-is. What crosses the boundary is a scoped, signed derivative — useful for AI-assisted work, not reconstructable into the original. The IP never exists in readable form outside the broker.
These are the threat vectors Corla is designed to address.
A developer prompts the AI tool to disclose the context instructions injected into their session.
CLAUDE.md block instructs the agent to call report_policy_violation and decline. The tool is a visible deterrent — the developer knows it exists. All tool calls are visible in Claude Code's UI. Attempt is logged server-side regardless of outcome.A developer's CORLA_TOKEN is stolen and used from an attacker's machine.
A developer attempts to request context from projects or assets outside their grant.
A MITM attack attempts to modify the compiled package between the broker and the developer's adapter.
A developer engineers prompts to get the AI to produce output that reveals proprietary patterns, even without quoting context directly.
A vendor engagement ends but the developer's token remains valid, allowing continued access.
These invariants are enforced at the code level, not just the policy level. Violating them is not a misconfiguration — it is a build-time or runtime error.
Assets are loaded, compiled, and discarded inside Zone 2. The RawAsset.content field never appears in any network response, log entry, or database record outside Zone 2.
The AuditEvent table has no UPDATE or DELETE permissions at the database level. Not even for administrators. Not even for cleanup jobs. Every event is permanent.
The revocation check is never skipped and never cached. If Redis is unavailable, the request is rejected (fail closed). Caching the validation result would make revocation meaningless.
The adapter verifies the HMAC-SHA256 signature of every compiled package before injecting it. An invalid signature is a critical security event, logged immediately.
Bearer tokens, signing keys, and encryption keys must never appear in logs, error messages, or audit events. Only the JTI (token ID) is logged.
Compiled package content must never be written to disk, temp files, or any persistent storage on the developer's machine. If the process exits, the context is gone.
When in doubt about a token's validity, the request is rejected with 401. No default-allow fallback. Every auth error path is explicit.
Client-side mechanisms (CLAUDE.md, MCP prompts, report_policy_violation) are cooperative tooling and visible deterrence. They improve compliance but depend on agent cooperation. Server-side logging does not. It is the ground truth and cannot be overridden by content in any context window.
Corla does not try to enforce behaviour against a developer's interests through hidden mechanisms. It doesn't need to.
Claude Code shows every MCP tool call in its UI. A developer can see — and deny — any tool call. Corla is designed with this transparency in mind. Deterrence comes from visibility, not hidden execution.
The behaviour constraints written to CLAUDE.md are visible to the developer. Deletion is detectable via git diff and the absence of expected get_context calls server-side. Deletion is not silent — it is just transparent.
Every MCP call is logged at the broker regardless of what happens client-side. This is the enforcement layer that cannot be bypassed. Compliance infrastructure is built on it — not on assumptions about AI agent behaviour.
Audit-ready event logs with searchable export. Available under NDA for enterprise customers. Report covers security, availability, and confidentiality trust service criteria.
Alignment with the AI management system standard. Governance framework documentation, risk assessments, and control mappings available for Enterprise tier customers.
Personal data minimisation by design. Input and output stored as hashes — not raw content. Data residency options available. DPA provided for all customers.
We welcome security reviews. Documentation, architecture diagrams, threat model, and SOC 2 report are available under NDA. Contact our security team directly.