Deployment models
| Model | Control plane | Ingress |
|---|---|---|
| SaaS | app.blekline.com | MCP stdio + /api/ingress/v1/* |
| Private tenant | Customer subdomain or VPC | Same API surface, customer data residency |
| Sidecar | Daytona / k8s pod | packages/ingress-proxy Docker image |
SSO roadmap (SAML/OIDC)
Enterprise workspaces integrate IdP at the dashboard layer (NextAuth-compatible OIDC today). Planned SAML attributes:
email→ workspace membership mappinggroups→ role (owner/admin/member)tenant_id→ workspace isolation
Until SAML ships, use:
- Google / LinkedIn OAuth for pilot tenants
- Workspace API tokens for agents (
mask:write,events:write) - SCIM-style roster via
/api/workspace/roster(existing)
Policy push
Fleet sensors subscribe to GET /api/workspace/policy-stream (SSE). On policy events, refresh local allow/deny caches for MCP proxy and ingress sidecars.
Hardening checklist
- Rotate workspace API tokens quarterly
- Set MCP tool denylist for destructive tools (
rm,drop_database, etc.) - Enable ingress block mode (
BLEKLINE_INGRESS_BLOCK_HIGH_RISK=true) - Export audit logs to SIEM (
/api/integrations/siem) - Run Cursor model matrix QA (
demo/cursor/model-matrix.md)
Support
Enterprise leads: /api/enterprise/lead or sales@blekline.com.
Next steps: AI Enablement Stack · Deployment · Architecture · Open workspace · Report issue