Daemon API
Use the daemon and verifier APIs from agent code. Direct language SDKs are still roadmap work.
liveAuthorization for Company Brains.
The authorization layer for company brains.
X login skips ~50 spots.
0 requests 0% allowed 0 live
the gap
Company context doesn't know who's asking.
bob alice eve codex intern
One policy. Two identities. Two outcomes.
Real output of `pactd proxy` running against a sensitivity-tagged MCP backend. Same tool, same policy file, two callers — the audit row tells the difference.
$ ./pactd proxy --upstream "./pactd mcp" \ --policy ~/.pact/policy.yaml # junior asks: > tools/call gbrain.read_board {"q":"Q4 fundraise"} pactd: caller=bob@acme.com role=junior tool=gbrain.read_board required_tier=board tier denied (junior tiers: [public]) audit row appended sha256=0x9f4c… → error: tier denied # exec asks the same thing: > tools/call gbrain.read_board {"q":"Q4 fundraise"} pactd: caller=alice@acme.com role=exec tool=gbrain.read_board required_tier=board tiers ok (exec tiers: [public, internal, confidential, board]) forwarding to upstream audit row appended sha256=0xa1b2… → result: 12 entries
Four surfaces. One install.
MCP server
Exposes Pact as MCP tools through the local daemon. One config block in Claude Code, Cursor, or Claude Desktop.
liveDaemon
Runs locally per user. Holds OIDC tokens, signs envelopes, mints capabilities. The trust artifact every other surface verifies against.
liveVerifier
Drop in front of any HTTP or MCP backend. Validates daemon-minted bearers against a JWKS. Customer keeps the policy; Pact handles the proofs.
livego install github.com/getpact/pact/cmd/pactd@latest
git clone https://github.com/getpact/pact && cd pact ./examples/run-demo.sh --no-dashboard