← Lexicor

Walkthrough · Product surfaces

Four surfaces, one control plane

The registry of every agent, where policy is written, where operators watch and act, and where every decision becomes portable evidence — the windows your teams use.

01Four jobs, one plane
Each surface has one job. Together they close the loop from inventory to evidence after a deny.
Inventory

Platform and security teams see every agent, team, grant, and standing in one registry — whatever harness they run on.

Write policy

Governance authors declare grants and violations as versioned objects; gates on the path enforce exactly what is written.

Intervene

Operators pause, narrow scope, or escalate from live posture — without chasing an agent across tools.

Hand over evidence

Compliance and audit export tamper-evident records written at decision time, not reconstructed from chat later.

02Agent registry — every team's agents, one inventory
For platform and security: one inventory of agents, teams, tool grants, and standing. After a deny, the same agent shows narrowed posture here — not only in a log line.
lexicor — agent registry / agentsLIVE
AgentTeamTool grantsStatusTrust
billing-reconcilerpaymentsstripe, ledger-dbactiveok
support-triagecxzendesk, slackactiveok
code-review-botplatformgithub, ci-runneractivewarn
data-backfilldata-engwarehouse, s3idleok
vendor-scrapergrowthhttp, browserdegradeddeny
$ lexicor watch --inventory watching 5 agents · policies P-041…P-118 loaded
vendor-scraper → tool.call http.post prod-db.internal/write
✗ BLOCKED by P-114 · grant is {http, browser}, not prod-db · decided in-path
trust(ven
!
vendor-scraper blocked: write to prod-db outside grant
policy P-114 · decided in-path
✓ ARCHIVED — WRITTEN TO THE ENFORCEMENT LOG AS EVIDENCE
PRIVILEGE POSTURE REPRICED
03Control plane — policy as code
For governance authors: write the rule once — who it applies to, what the grant is, what happens on violation. Fail-closed by default; a deny is the policy you declared, not an ad-hoc exception.
lexicor — control plane / policiesLIVE
policies · 3 of 12team: all
P-041 · grant-registrationpayments / billing-reconcilerALLOW
P-114 · deny-out-of-grantgrowth / vendor-scraperDENY
P-118 · semantic-equivalenceall teams / all agentsGATE
P-114 · deny-out-of-grant · v3
appliesteam:growth · agent:vendor-scraper
grant{http, browser} — prod-db not granted
violationprod-db.write ∉ tool grant
onViolationblock · reprice trust · notify #sec-agents
defaultfail-closed
04Operator console — see and act
For on-call and fleet operators: live status next to the controls. When an agent degrades or a deny fires, pause or narrow scope here without leaving the console.
lexicor — operator console / overviewLIVE
vendor-scrapergrowth · trust: deny · privileges narrowedDEGRADED
support-triagecx · trust: ok · grant intactACTIVE
code-review-botplatform · trust: warn · read-onlyACTIVE
intervention: pause + narrow scope · awaiting sign-off
05Audit evidence — records you can hand over
For compliance and audit: each ALLOW and DENY is a tamper-evident, portable record at decision time. Select an event, seal integrity, export a bundle a counterparty can verify.
lexicor — audit / evidenceVERIFIED
evidence · newest firstretention: 7 years
vendor-scraper → prod-db.writepolicy P-114 · blocked before executionDENY
support-triage → zendesk.replypolicy P-041 · semantic check passedALLOW
code-review-bot · privileges narrowedauto-remediation · operator sign-offREMEDIATE
evidence record · evt_8f21
agentvendor-scraper (growth)
attemptedprod-db.write — outside tool grant
dispositionDENY · fail-closed · in-path
policyP-114 · deny-out-of-grant · v3
integritysealed packet · checksum ✓
exportportable bundle — verify anywhere
fail-closedgovernableportableevidence-gradePatent Pending

The machinery under these windows — encoding, policy gates, and checkable evidence — is on the technology walkthrough →