Agents

Veriva tracks who shipped a PR, not just what the PR contains. Every agent your team uses — Claude Code, Cursor, Copilot, Devin, plus any custom internal tooling — gets an identity row, a trust score, and a track record. Your merge policy can gate per-agent.

Why agent identity

When five agents are committing to the same repo, "the diff looks fine" isn't enough. The same diff from a high-trust agent with a clean revert history is a different risk profile than the same diff from an agent that's introduced three reverts this month.

Agent types

The built-in AgentType enum:

HUMAN — fallback when no agent marker is detected
CLAUDE_CODE
CURSOR
COPILOT
WINDSURF
DEVIN
OTHER — registered custom agents

Detection

Veriva detects agent identity in this order on every webhook delivery:

The x-veriva-agent-id header on the webhook delivery (if your CI proxies through us). Resolves to an AgentIdentity row by token.
Commit trailers — Co-Authored-By: claude-code <...> and equivalents for other agents.
PR body markers — agent CLIs that drop a recognizable signature in the PR description.
Falls back to HUMAN if nothing matches.

Registering an agent

Auto-detected agents (CLAUDE_CODE, CURSOR, etc.) appear automatically the first time they ship a PR. To register a custom internal agent or force a specific identity:

Go to Settings → Agents → New agent.
Pick the agent type, give it a label, click create.
Copy the token. Send it as the x-veriva-agent-id header when your tool calls our API or as a commit trailer Veriva-Agent-Id: <token>.

Tokens are secrets

Agent tokens identify the agent but don't carry permissions on their own — your merge policy decides what each agent can do. Still, leaking a token lets someone impersonate that agent in your PRs. Rotate if exposed.

Trust score

Each AgentIdentity carries a trust score from 0–100, starting at 50. The post-merge outcome loop updates it after every merge:

Clean merge (no revert in 14 days): score nudges up
Reverted merge: score drops sharply
Incident-linked merge: score drops harder

The score feeds into Deep Audit triggering — agents below the threshold get Deep Audit on every PR, not just CRITICAL ones. The score and full history are visible per-agent on the agents dashboard.

Agent rules in policy

Your merge policy carries an agentRules list. See Merge Policy → Agent rules.

agentRules:
  - agentType: DEVIN
    action: require-human
  - agentType: COPILOT
    action: block

Agent fleet dashboard

Settings → Agents shows every agent identity in your org with: label, type, current trust score, PRs total / clean / reverted, last-seen timestamp, and a per-agent finding hotlist.

Drill into any agent to see PR history, outcome stats, applicable agent rules, and a token-revoke button.

Hooks

Models

Detection

Veriva detects agent identity in this order on every webhook delivery:

The x-veriva-agent-id header on the webhook delivery (if your CI proxies through us). Resolves to an AgentIdentity row by token.

Commit trailers — Co-Authored-By: claude-code <...> and equivalents for other agents.

PR body markers — agent CLIs that drop a recognizable signature in the PR description.

Falls back to HUMAN if nothing matches.

Registering an agent

Auto-detected agents (CLAUDE_CODE, CURSOR, etc.) appear automatically the first time they ship a PR. To register a custom internal agent or force a specific identity:

Go to Settings → Agents → New agent.

Pick the agent type, give it a label, click create.

Copy the token. Send it as the x-veriva-agent-id header when your tool calls our API or as a commit trailer Veriva-Agent-Id: <token>.