Stacktic AI Governance

Governance Controls

Topology = Governance

Draw links → tools generated

auto-enforced

Credential Scoping

AI never sees raw passwords

{variable} resolved

Write-Access Gating

Per-service boolean flags

read-only default

Tool Boundaries

Typed params, no kubectl

scoped per link

Multi-Stack Isolation

Per-stack MCP + credentials

is_external boundary

Security Model

SOPS Encrypted Secrets

cloud.env → K8s Secret

APISIX Gateway Auth

key-auth + TLS termination

MCP Bearer Token

Authorization: Bearer <key>

Audit Trail

JSON-RPC method + params + ts

AI Governance Flow

AI Capabilities

Topology Query 7 tools

Prometheus 7 tools

Grafana 6 tools

Loki Logs 5 tools

Databases 15+ tools

ArgoCD 6 tools

AI Playbooks 6 prompts

query_topology run_test prom_query loki_query ch_query cnpg_query

Metadata Feed

{
  "source": "type:kafka",
  "target": "sub_components",
  "command": "kubectl -n {namespace}",
  "dry_run": true
}

{namespace} {password} {database} {host} {port}

Stack Awareness

Components + Links

Sub-components

Attributes + Config

Cross-stack Boundaries