Codokey Reference Brief

Codokey Protocol

Version:: 1.0
Date:: 2026-06-01
Status:: Reference Model
Scope:: How AI Code Access Governance is operationalized — six layers

Reference model document — not a formal certification, audit, or product specification. Vendor-agnostic. Applies to Copilot, Cursor, Claude Code, and future agents.

Overview

When AI can write, modify, and deploy code — the most valuable layer is no longer the code alone. It is the key that governs what the code can access, expose, change, and release.

Layer 01 — Code Origin

Provenance Layer. Who authored this code? Human, AI, or hybrid authorship determines review obligation before merge.

Layer 02 — Key Exposure

Secrets Layer. Does code touch secrets, tokens, credentials, or signing keys? Secret classes: API keys, access tokens, SSH keys, signing keys, environment variables, cloud credentials, database credentials, Git tokens.

Layer 03 — Agent Authority

Permission Layer. What is the agent permitted to read, change, or execute? Agent classes: suggestion, code review, task, MCP-connected, autonomous.

Layer 04 — Review Boundary

Human Gate Layer. Where must a human intervene before code proceeds? Minimum accountability structure for AI-generated changes.

Layer 05 — Deployment Control

Authority Layer. Can code reach production? No agent deploys without human authorization gate.

Layer 06 — Audit Memory

Accountability Layer. Can you reconstruct what happened, who authorized it, and what was exposed?

Forbidden Zones

Production secrets accessible to agent
Organization-wide scope for single-repo task
Unsupervised production deployment

Governance Scorecard: 32 checks across six layers. Grades C → A+. Self-assessment reference — not certification.