> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devctrl.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction

> Devctrl is a policy and governance layer for AI agents. Control what your agents can do, when they can do it, and audit every action.

Devctrl is a gateway that sits between your AI agents and your MCP servers. It enforces policies on every request — so agents only access what they need, when they need it.

<CardGroup cols={3}>
  <Card title="Compliance" icon="shield-check">
    Meet EU AI Act, GDPR, and SOC2 requirements with full audit trails and policy enforcement on every agent action.
  </Card>

  <Card title="Efficiency" icon="bolt">
    Let agents operate more autonomously. Granular policies replace manual human-in-the-loop approvals.
  </Card>

  <Card title="Governance" icon="building">
    Central policy management across all your agents. One place to define, version, and enforce rules.
  </Card>
</CardGroup>

## The problem

AI agents today are treated like human users. They get role-based access — broad permissions tied to an identity. A support agent with a "Support" role can access all customer data, even when it only needs one customer's record to resolve a ticket.

This creates three risks:

* **Over-provisioned access** — agents can reach data and tools far beyond what their current task requires
* **No audit trail** — you can't prove which agent accessed what, when, or why
* **Policy gaps** — compliance rules are hardcoded per agent, making them expensive to maintain and easy to break

## The solution

Devctrl introduces **Task-Based Access Control (TBAC)**. Instead of asking "who is this agent?", Devctrl asks "what is this agent trying to do?"

Permissions are:

* **Scoped to the current task** — not the agent's role
* **Granted just-in-time** — temporary tokens that expire when the task is done
* **Enforced on every call** — the gateway evaluates policies before routing to upstream tools
* **Fully audited** — every allow and deny decision is logged with complete context

## How it works

Every request from an AI agent flows through the Devctrl gateway before reaching your tools.

<Steps>
  <Step title="Register MCP servers">
    Connect your upstream MCP servers supporting **Streamable HTTP** transport.
  </Step>

  <Step title="Create identities">
    Create an identity for each agent. Assign labels and credentials.
  </Step>

  <Step title="Define tasks (Optional)">
    Define the tasks your agents perform. Each task has a context schema that describes what information it carries.
  </Step>

  <Step title="Attach policies (Optional)">
    Write CEL-based policy rules that define conditions for allowing or denying tool calls.
  </Step>

  <Step title="Execute with token">
    Agents authenticate with a bearer token and an optional task token. The gateway enforces policies on every tool call and logs the result.
  </Step>
</Steps>

## Next steps

<CardGroup cols={2}>
  <Card title="Quickstart" icon="rocket" href="/quickstart">
    Go from zero to your first policy-enforced tool call in 15 minutes.
  </Card>

  <Card title="How it works" icon="diagram-project" href="/how-it-works">
    See the full architecture — how agents, the gateway, and your tools connect.
  </Card>
</CardGroup>
