Skip to content
TapPass Internal

Start here

If you're reading this, you've been given access via Cloudflare — which means you work at TapPass or are contracted to us.

What TapPass actually is

Section titled “What TapPass actually is”

A governance and observability layer for AI agents. Enterprises install TapPass between their agents and their LLM providers so every call is policy-checked, logged, and auditable. Customers pay us to stop their agents from leaking PII, exfiltrating secrets, or burning through a budget.

Who does what

Section titled “Who does what”
TeamOwns
Engineeringtappass/ core server, SDKs, pipeline steps, OPA policies
FrontendAdmin dashboard (React + Tailwind + Radix)
Ops / SRECloud Run, Cloudflare Pages, Postgres, SPIRE
SecurityDetection backends, audit integrity, SPIFFE, incident response
GTMPricing, customer onboarding, support, OEM deals

Learning path

Section titled “Learning path”

Read these in order. Each builds on the last. Skip the detour links on first pass and come back to them.

Day 1 — the mental model

Section titled “Day 1 — the mental model”
  1. Architecture overview — the one-sentence summary, the three planes, the request lifecycle.
  2. Domain objects — canonical glossary of Agent, Pipeline, Decision, Mandate, AuditEvent, and friends. If you can't name the five first-class citizens in one sentence each, you can't read the codebase yet.
  3. Key flows — three real traces (LLM call, policy change, audit export) that stitch the domain objects together. Sequence diagrams + payload shapes.
  4. Codebase tour — 30 minutes reading four specific files in order.
  5. Hooks — how Claude Code / Cursor / Windsurf plug in via POST /hooks, plus the three internal phase hooks.
  6. Pipeline step anatomy — how to write and wire a new governance step.

Day 2 — the physical stack

Section titled “Day 2 — the physical stack”
  1. Data model — which Postgres tables actually matter.
  2. Deployment architecture — the runtime topology (Cloudflare → Cloud Run → VPC → Cloud SQL + KMS
    • Secret Manager). What breaks if each piece goes down.
  3. Frontend architecture — only if you'll touch the dashboard.

Day 3 — security + ops

Section titled “Day 3 — security + ops”
  1. Security architecture — trust zones, identity flow, fail-closed boundaries, encryption at rest.
  2. Operations → Deployments — how code gets from git push to prod.
  3. Runbooks — skim all ten; you'll run at least two in your first month.

Onboarding practicalities

Section titled “Onboarding practicalities”