Skip to main content
Everything in Vexa composes from a handful of primitives. A unit of work — a dispatch — is one agent, in one container, over a person’s workspace, authorized by an identity token, fired by the scheduler.

Workspace

A git folder, stored in an (encrypted) bucket, with an id and an access mode (ro/rw). A dispatch mounts a list — typically system (ro) + company (ro) + user (rw). It holds knowledge, plans, and the agent’s session — all just files, with no dictated structure. git is the durable state and the undo.

Agent

A generic CLI coding agent selected by a runner (Claude Code is one; others and BYO-inference plug in the same way). It works the mounted workspace with a scoped toolbelt and commits. It is untrusted — outside the trust boundary — so it carries a signed token but enforces nothing. Its outbound capabilities (email, calendar, web) are integrations: cred-gated tools reached over MCP, never built into the backend. See Agents.

Container

The isolated, ephemeral unit an agent runs in, spawned by the runtime. Sub-second to start, reaped on idle, no egress except through brokered tools — thousands run in parallel with no lateral movement. Its live output streams to the client over a per-dispatch channel.

Identity

The chain of custody. The launcher proves itself (a user session, or a signed delegation grant for a schedule/integration); the identity service mints a short-lived signed dispatch token (subject = on whose behalf · launcher = who triggered · scope); the runtime attests the workload (SPIFFE/SPIRE); and every boundary verifies the token — never the agent. Tool calls exchange it for an audience-scoped credential (Keycloak / RFC 8693) at an MCP gateway, so the agent never holds a raw key.

Scheduler

Redis. The one mechanism that dispatches agents, on a trigger — a schedule entry (cron), an integration event (e.g. new email), or now (chat). It holds the user-manageable schedule; a meeting ending is just another event that dispatches an agent.