Use Cases

Built for teams who ship fast
and sleep at night

From AI coding agents to DevOps pipelines to enterprise compliance โ€” expacti puts a human in the loop for every action that matters.

๐Ÿค–
AI Coding Agents
Claude, Copilot, Codex, and LangChain agents are great at writing code. They need a human referee before they touch anything real.
"The agent was asked to fix a broken migration. It fixed it, then decided the schema needed cleanup, dropped three columns it thought were unused, and triggered a 3 AM incident. The columns were in use."
โ›” The problem

Agents optimise for the task they were given, not the system they're operating in. They have no instinct for scope, reversibility, or consequence.

โœ… The fix

Every shell command, file write, or API call the agent makes goes through expacti. The agent blocks until a human approves or denies โ€” then execution proceeds.

๐Ÿ” Whitelist learning

After a few runs, routine commands are whitelisted. You only see novel, unexpected, or high-risk actions โ€” the ones that actually need a human eye.

๐Ÿ“‹ Full audit trail

Every command, every decision, timestamped and immutable. When something goes wrong, you know exactly what the agent did and who approved it.

How it works with LangChain / Vercel AI
1
Agent submits command
The agent calls its shell tool. expacti intercepts before any execution.
$ sed -i 's/old_column/new_name/g' migrations/*.sql
2
Reviewer gets notified
Browser notification, Slack message, or mobile push. Risk score: High (72/100) โ€” file modification, glob pattern.
3
Human decides
One click (or A/D keyboard shortcut). Average decision time: 8 seconds. Optional comment on deny.
4
Agent continues or retries
Approved โ†’ executes. Denied โ†’ agent receives error, can try a different approach.
python ยท LangChain integration 
# One-line swap: replace ShellTool with ExpactiTool
from expacti import ExpactiClient, ExpactiTool

client = ExpactiClient(
    url="wss://api.expacti.com/shell/ws",
    token=os.environ["EXPACTI_TOKEN"]
)

agent = initialize_agent(
    tools=[ExpactiTool(client=client)],  # was: ShellTool()
    llm=ChatAnthropic(model="claude-sonnet-4-6"),
)

# Every shell command now requires human approval
result = agent.run("Fix the broken deploy on prod-server")

Try it with your agent

See the approval flow live in the interactive demo โ€” no account required.

โ–ถ Interactive demo Read the guide
โš™๏ธ
DevOps Automation
CI/CD pipelines, deployment bots, and maintenance scripts โ€” powerful automation that still respects human oversight for production changes.
"We had a deployment bot with full SSH access to prod. One day a broken regex in a cleanup script matched more files than intended. The bot deleted a year of backups before anyone noticed."
๐Ÿ”„ Deploy gates

Production deploys require sign-off. The pipeline pauses at each destructive step โ€” docker compose down, database migrations, config changes.

โšก Whitelist the routine

git pull, docker build, health checks โ€” all whitelisted. The reviewer only sees novel or risky operations. Routine deploys are near-zero friction.

๐Ÿšจ Multi-party approval

Configure critical operations (DROP, schema changes, cert rotation) to require two approvers. No single human can approve a catastrophic change alone.

๐Ÿ“Š SLA monitoring

Track approval latency p50/p95/p99. Know how long your team takes to respond. Build response-time SLAs into your deploy process.

GitHub Actions integration
1
Add expacti-action to your workflow
Drop-in composite action. Wraps any shell step in approval flow.
2
CI pauses at production steps
Build and test run unattended. Deploy-to-prod waits for a human.
$ docker compose -f prod.yml up -d โ† โณ awaiting approval
3
Engineer approves from Slack or dashboard
Block Kit buttons in Slack, or one click in the reviewer dashboard. Pipeline resumes.
yaml ยท .github/workflows/deploy.yml 
# Build + test runs freely. Deploy step requires approval.
- name: Deploy to production
  uses: expacti/expacti-action@v1
  with:
    command: "docker compose pull && docker compose up -d"
    backend_url: "wss://api.expacti.com/shell/ws"
    shell_token: ${{ secrets.EXPACTI_TOKEN }}
    timeout: 300  # 5 min to approve before pipeline fails

Start with one deploy gate

Add expacti to your most critical deployment step. Takes 10 minutes to integrate.

Get early access See demo
๐Ÿ”’
Security & Compliance
SOC 2, ISO 27001, and internal auditors want evidence that privileged actions were reviewed. expacti makes that evidence automatic.
"The auditor asked: 'Can you show me who approved this database operation and when?' We had server logs. We didn't have that. We failed the control. expacti would have made it a non-issue."
๐Ÿ“‹ SOC 2 Type II evidence

Every command with approval timestamp, reviewer identity, and session recording. One-click compliance report export in HTML, JSON, or CSV.

๐Ÿ” Immutable audit log

Append-only audit trail with hash chain. No one can edit or delete historical records โ€” including admins. Tamper-evident by design.

๐ŸŽฏ Anomaly detection

Eight built-in anomaly rules: off-hours access, unusual targets, high-frequency commands, pattern deviations. Flags suspicious activity before it becomes an incident.

โฑ๏ธ TTL-based whitelist hygiene

Whitelist rules expire automatically. Temporary access revokes itself. Meets least-privilege requirements without manual cleanup.

SOC 2 control mapping
CC6
Logical and Physical Access Controls (CC6.1, CC6.3)
Every privileged command requires approval. Access scope enforced by whitelist. Role-based reviewer permissions (admin / reviewer / readonly).
CC7
System Operations (CC7.2)
Anomaly detection flags deviations. Audit log records all access events. Session recording enables post-incident forensics.
CC8
Change Management (CC8.1)
All production changes go through approval flow. Deny decisions are logged with reviewer reasoning. Scheduled compliance report delivery.

Compliance built in, not bolted on

Export your next SOC 2 evidence package directly from the dashboard.

Get early access Read audit trail guide
๐Ÿข
Enterprise
Large teams with strict security requirements, IdP integration, and regulatory obligations. expacti was built enterprise-ready from day one.
๐Ÿ”‘ SAML 2.0 + SCIM

SSO via any SAML 2.0 IdP (Okta, Azure AD, Google Workspace). SCIM provisioning for automatic user lifecycle management from your IdP.

๐Ÿ‘ฅ RBAC + multi-org

Admin / reviewer / agent / readonly roles. Multi-reviewer approval policies (any, all, minimum role). Separate orgs with full isolation.

๐Ÿ—๏ธ Infrastructure as Code

Terraform provider for managing targets, whitelist rules, and users. K8s operator with Helm chart for self-hosted deployments. GitOps-friendly.

๐Ÿ” E2E encryption

Zero-knowledge command relay: RSA-OAEP + AES-256-GCM hybrid encryption. The backend sees ciphertext โ€” only the reviewer's browser decrypts the command.

๐Ÿ“ฆ Self-hosted option

Docker Compose, K8s with Helm, or bare metal. Your data never leaves your infrastructure. PostgreSQL backend for scale.

๐Ÿ”— Integrations

Slack Block Kit (approve/deny buttons), Microsoft Teams, webhooks, per-org SMTP, IP allowlist, PAM module for legacy systems.

Enterprise plan with custom SLA

Self-hosted, SSO, compliance reports, dedicated onboarding. Let's talk.

Contact sales Security model
๐Ÿš€
Startups
Move fast without breaking production. Small teams, shared infra, AI agents doing real work โ€” expacti is the safety layer you can set up in an afternoon.
"We're a team of four. Everyone has prod access. That's fine when you're all careful, but the AI agent we added last month doesn't know the difference between staging and production. Now expacti does."
โšก 10-minute setup

Run expacti init, connect your server, start the reviewer dashboard. No K8s, no enterprise procurement, no lengthy onboarding.

๐Ÿ’ธ Free tier

One target, one reviewer, 100 commands/month. Enough to protect your most critical system while you evaluate. No credit card required.

๐Ÿ“ฑ Mobile reviewer

PWA with push notifications. Approve a deploy from your phone while at the coffee shop. No app install needed.

๐Ÿค Grows with you

Start with one deploy gate. Add more as you build trust in the whitelist. SAML, SCIM, and compliance reports are there when you need them.

Getting started in under 10 minutes
1
Install and initialise
curl -fsSL https://install.expacti.com | sh && expacti init
2
Run the pre-flight check
expacti doctor
3
Open the reviewer dashboard
Sign in at expacti.com/app โ€” approve or deny commands as they arrive. That's it.

Start protecting production today

Free tier, no credit card. Working setup in under 10 minutes.

Start free โ–ถ See demo first