Trust & security
Trust, by design.
Bridge generates solutions that carry skills, hooks, and MCP servers — code that runs on other people's machines. That only works if you can trust what ships. Here is exactly how the safety is built in, and where its limits are.
The autonomy dial
You set how much runs on its own
The human review gate isn't a fixed ceiling — it's a level you set per project. Some work needs a person at every step; some can run start to finish on its own. What doesn't change is the set of safeguards underneath — they hold in every mode.
- Run a workflow fully autonomously, or apply gates: place a human review exactly where the work needs one — at deploy, at every phase, or wherever — to approve, edit, or send back.
- The independent security pass runs on every build, in every mode. It never depends on whether a person is watching.
- Agents write to external systems only through an allowlist you control, and every decision leaves an auditable receipt — so an autonomous run is still a run you can fully account for.
The security pass
What the Reviewer checks
Independent research keeps finding the same thing: a large share of AI-generated code ships with security flaws, and AI-assisted commits leak secrets at roughly twice the human rate. (Veracode, 2025 GenAI Code Security Report; GitGuardian, State of Secrets Sprawl 2026.) Generation speed isn't the problem — unreviewed output is. So the Reviewer agent runs a pass on every build before it ships, no matter the autonomy level:
- The bundle is valid against the plugin schema — every required file, no broken frontmatter.
- Hooks and MCP servers are reviewed, because they run on other people's machines.
- Hardcoded secrets and credentials are flagged before they can leak.
- Naming and token-budget conventions are enforced so the plugin behaves once it's installed.
- Tautological, contradictory, or unverifiable review rules are caught and rejected.
In a gated run the Reviewer doesn't replace your judgment — it surfaces what to look at so your review is faster and sharper, and the final call is yours. In an autonomous run, the same checks are what gate whether the result ships.
Your words, and where they go
What leaves the building
Bridge runs on Claude Managed Agents. The text you send is the plain-language description of a workflow — not client deliverables, not regulated data. Keep it that way: describe the shape of the work, not the confidential contents of an engagement.
Managed Agents is a public beta. It is not certified for zero-data-retention or HIPAA workloads, which is acceptable here precisely because the inputs are design descriptions rather than sensitive client data. For the high-value solutions that touch real deliverables — status decks, SOWs — the confidentiality firewall and deterministic pricing live inside the generated solution, not in Bridge's prompts.
Workspaces & isolation
Each team's work, kept separate
Every team works inside its own workspace, and one workspace can't see another's work. Scoping runs on every read and write at the application layer, and Postgres row-level security enforces the same boundary at the database — defense in depth, so a single missed filter can't cross workspaces.
That isolation is live and verified on Neon: a query with no workspace context sees nothing, and a scoped query sees only its own workspace's work. For enterprise or regulated workspaces that require physical separation and data residency, a dedicated-database tier — the same product on isolated infrastructure — is in design. We mark it Coming on the capabilities page rather than imply it ships today.
Who can do what
Access scoped to a role
Inside a workspace, access is scoped to a role. A viewer reads; a member creates and runs work; an admin manages people and invites; an owner controls the workspace. Above all of them sits a Bridge platform operator — deliberately separate, so the people who run the platform are never conflated with the people who own a tenant.
Sign-in today is your work email plus a passcode; on a trusted network the email alone is enough. It is a deliberately scoped gate, and we're honest about its assurance level rather than dressing it up as something it isn't. Identity- provider SSO is not part of the product today — when it is, it will be marked plainly like everything else.
The org record
Knowledge stays grounded, and guesses say so
The knowledge base is the record an agent reads to act on your behalf — so what it claims has to be checkable, not confidently invented. Every statement traces to a source, and where the agent is only guessing, the page says so in plain words rather than dressing it up.
- Every entry grounds in a checkable citation — a repo path and SHA, a URL and locator, or an interview turn. When the agent drafts something it can't source, it's labeled unverified, never presented as fact.
- Generated entries land as DRAFT and wait behind a human confirm gate — a person promotes them to confirmed, so nothing the agent wrote enters the record on its own.
- The agent's own knowledge-base tools are read-only. It can search and read the record; it has no tool to write to it.
- An immutable, append-only ledger records every change — who, when, why, and from what source — so provenance is never overwritten.
What's live here versus still in beta — the AI interviewer that elicits tribal knowledge is marked Beta — is laid out on the capabilities page.
Market signals
Signals recommend — they never publish
Signals watches your market and turns moves into pre-framed, buildable recommendations. A recommendation is exactly that: a suggestion that waits for you. Nothing it surfaces ships on its own.
- A signal arrives with a suggested build the agent drafted alongside it. It recommends — it never auto-publishes, never starts a build, and never writes anywhere on its own.
- If you choose to act on one, the resulting build runs through the same safeguards as any other — the security pass on every build, and the human gate wherever you've set one. A recommendation doesn't skip the keystone.
Signals is live; the honest account of its status sits alongside everything else on the capabilities page.
The honest limits
What Bridge does not claim
Bridge tells you what it can do and marks it plainly. Both ways of running a workflow — applying gates wherever you want a person, or running fully autonomously from plain language to a shipped production build — are live. Where something genuinely isn't ready yet, we badge it Coming rather than imply it's done. The honest account of what's live, beta, and coming lives on the capabilities page.
Parts of the stack it depends on are themselves in beta, and their behavior can shift. We re-verify those before relying on them, and we keep the marketing and the product inside the same honest claim — trust is the whole currency, so we'd rather under-promise.
See it for yourself — every step is in full view.
The best way to trust the pipeline is to watch it work. Sign in and run one.
Sign in to get started