Use case — regulated environments

AI coding agents for
financial services.

Regulated and air-gapped teams cannot ship code to a vendor's cloud. Maestro runs Claude Code entirely on your infrastructure, with your key, and turns its security features into governance controls you can point an auditor at.

The blocker for AI coding agents in financial services is rarely capability — it is control. Where the code runs, what leaves the estate, who authorised each action, and whether the tool keeps working when the network does not. Maestro is bring-your-own-key and local by design, so the same answers apply whether you run it on a developer laptop or inside an air-gapped estate.

Governance controls

Security features, read as trust signals

BYOK and data residency

Maestro is a Python CLI that runs on your own machines with your own Anthropic API key. There is no Maestro server in the request path, so source code never crosses the network to us. The only outbound calls are to api.anthropic.com under your key, optionally api.github.com for Git operations a crew requests, and a periodic licence check.

A restrictive data-residency mode pins egress to an operator-defined allowlist, so you can prove exactly which hosts the framework is permitted to reach. Workspace state — orders, plans, reports, the audit log — lives in .mso/ on local disk and is never uploaded.

Offline, soft-fail licensing for air-gapped estates

Air-gapped mode (dataResidency.mode: air-gapped) refuses every outbound HTTP request except localhost. Licence validation carries a 14-day offline grace period and soft-fails rather than hard-stopping, so a disconnected estate keeps operating between revalidations instead of going dark at the moment the network is unavailable.

Claude inference still needs to reach an Anthropic endpoint, so a fully offline deployment pairs Maestro with a local or on-premises model proxy on your allowlist.

Secret detection as a governance control

Before any file write, a pretool scanner blocks AWS access keys, GitHub personal access tokens, OpenAI and Anthropic keys, Slack tokens, JWTs, and RSA private keys. Detection is fail-closed: the write is refused and the crew is notified, so a credential cannot reach a commit in the first place. This turns leak prevention into an enforced control rather than a code-review hope.

OWASP / CWE scanning between roles

A posttool scanner checks code against OWASP and CWE patterns — SQL injection (CWE-89), cross-site scripting (CWE-79), path traversal (CWE-22), hardcoded credentials (CWE-798), and weak cryptography among them. Findings are written to .mso/reports/security/, and the Releaser refuses to merge while any unresolved CRITICAL or HIGH remains. Security review is a gate in the workflow, not a CI afterthought.

MCP registry — supply-chain control

Every Model Context Protocol server is classified with an explicit risk level before any crew may use it. Crews can only reach servers on the approved registry, which contains the blast radius of a compromised or unvetted MCP server — a governance requirement when third-party tooling touches your codebase.

Audit trail

Maestro maintains a hash-chained audit log of privileged lifecycle actions. On the Enterprise tier the log can be externally anchored to a customer-provided store — S3 Object Lock or Azure Immutable Blob — for tamper-evident records that satisfy retention and evidence requirements.

Bring the evidence, not the code.

The Trust page lays out exactly what data crosses which boundary and how to verify it. For SSO, SLA, custom MCP allowlists, and security-review support, talk to us about the Enterprise tier.