Useful, reviewable, and usually not the control problem.
Action-path lab
See how a normal AI-assisted PR becomes a release-token path.
Start with a normal-looking PR, then trace the path from AI tool to release.yml, NPM_TOKEN, and package publish. At the end, export an Agent Action BOM, JSON action path, and evidence packet as a receipt.
Now the path can influence the workflow that runs somewhere else.
That is where code assistance can become package-publish reach.
The question becomes who approved the release-token path, not just the PR.
What does this lab export? A simulated Agent Action BOM, JSON action path, and evidence packet showing how normal AI-assisted software delivery can move through repos, CI/CD, tools, credentials, targets, approvals, and evidence gaps. It does not access your repo or upload source.
Trace status
Choose one workflow. The graph will show where credential reach appears.
01 Workflow
02 AI tool
03 Reach
04 Evidence
Step 1
Pick a workflow to trace
Start with the path your team might already trust because it begins as ordinary engineering work.
Step 2
Label the AI tool
This personalizes the simulated graph and BOM. The capabilities below determine the action path.
Step 3
What can this workflow reach?
Prechecked items are the default assumptions for this scenario. Toggle them to match your workflow.
Workflow trace
Credentialed CI/CD path
Active path
Review boundary
Credentialed action
Not selected
Next step
Map the same action path in one real workflow.
The simulation uses the same object Clyra maps in real workflows: actor, credential, action, target, approval, and evidence. Bring one PR, workflow file, agent instruction file, MCP config, package script, or release path to map the action boundary, owner, credential scope, approval point, and evidence trail without uploading source to start.