DevGuard

AI-powered CI/CD monitoring agent that acts on your behalf using Auth0 Token Vault — no hardcoded secrets, every action scoped to your identity.

Comment

Inspiration

AI agents are increasingly being used to automate critical engineering workflows — but the way they authenticate today is fundamentally broken. Most agents rely on hardcoded API keys embedded directly in code repositories, shared service accounts with no accountability, and blanket permissions that violate the principle of least privilege. There's no audit trail, no per-user scoping, and no way to revoke access quickly when credentials are compromised.

We wanted to build something that demonstrates what secure AI agent architecture actually looks like in practice — using Auth0 as the identity backbone.

What it does

DevGuard is a secure CI/CD monitoring agent that uses Auth0 Token Vault to eliminate hardcoded credentials from AI agent workflows entirely.

Here's how it works:

  1. Query CI Status — Ask DevGuard to check recent pipeline failures across your monitored repositories.
  2. Identify Issues — The LangGraph agent queries the GitHub Actions API to find failing workflows and extracts error context using Claude Haiku.
  3. Create Tracking — Automatically opens a GitHub issue with detailed failure analysis, stack trace review, and suggested reproduction steps.
  4. Notify Team — Sends a formatted Slack alert to your development channel with urgency level and assignee.

Every action is executed under the identity of the authenticated user — no shared accounts, no secrets in code.

How we built it

DevGuard is built on a layered security architecture:

  • Auth0 Universal Login authenticates engineers with MFA support before any agent action occurs.
  • Auth0 Token Vault stores encrypted OAuth tokens bound to the user session. At runtime, the LangGraph agent retrieves tokens from the Vault — they are never stored in code, config files, or environment variables.
  • LangGraph.js powers the stateful agent workflow, maintaining context across multi-step CI analysis tasks.
  • GitHub REST API is used to query repositories, read workflow run logs, and open issues.
  • Slack API (chat.postMessage) delivers real-time notifications to the team channel.
  • Claude Haiku (Anthropic) analyzes error messages and generates actionable fix suggestions.
  • Next.js serves the frontend UI with server components and API routes.

The key architectural insight: instead of the agent holding credentials, it requests them at execution time from an identity-aware vault. This means access is always tied to a real authenticated session and can be revoked instantly from the Auth0 dashboard.

Challenges we ran into

  • Token Vault integration — Binding agent execution to a user session rather than a static service account required rethinking the agent's request lifecycle. The agent cannot "pre-load" credentials; it must retrieve them on demand.
  • LangGraph state management — Keeping the agent context-aware across multiple tool calls (GitHub → issue creation → Slack) without losing the user identity thread was non-trivial.
  • GitHub Actions log parsing — Extracting meaningful error context from raw workflow logs and passing them to Claude Haiku in a way that produces useful, actionable suggestions took significant prompt iteration.

What we learned

  • Auth0 Token Vault is an underutilized primitive for securing AI agent workflows — it should be the default, not an afterthought.
  • The zero-secrets pattern (runtime retrieval instead of static storage) is achievable today without sacrificing agent performance.
  • AI agents touching production systems need identity, not just capability. Every action must be attributable to a real user or revocable session.

What's next for DevGuard

DevGuard is a deployable blueprint, not just a demo. We see it expanding to:

  • Support for GitLab CI and CircleCI pipelines
  • Multi-agent workflows with scoped per-agent OAuth permissions
  • SOC 2 / compliance reporting mode with exportable audit logs
  • Integration with PagerDuty and Linear for broader incident management ```

🔧 Built With

Auth0 · Auth0 Token Vault · LangGraph.js · Next.js · GitHub API · Slack API · Claude Haiku (Anthropic) · Node.js · React · Vercel

Built With

Share this project:

Updates