Docs

Documentation

Demo script — 60-second deploy approval

A terminal-first script for recording a short demo of the coding-agent deploy approval workflow. Pre-setup takes ~5 minutes; the recording is 60–90 seconds.

Before you record

Do all of this off-camera. The recording starts at step 1 below.

  1. Install the CLI: npm install -g @behalfid/cli
  2. Log in: behalf login
  3. Create a demo agent: behalf agents create --name "Claude Code Demo" --save — the --save flag writes the agent ID and API key to config
  4. Create the two deploy permissions:
    terminal
    behalf permissions create $(behalf config get agent-id) \
  --action deploy \
  --resource vercel.com \
  --allowed "deploy to staging,create preview deployment" \
  --blocked "deploy to production,promote to production"

behalf permissions create $(behalf config get agent-id) \
  --action deploy_production \
  --resource vercel.com \
  --allowed "promote staging to production" \
  --requires-approval
  5. Open a terminal in a scratch project directory
  6. Open the BehalfID dashboard Approvals page in a browser tab — you'll switch to it during the recording
  7. Use a large font size (18–20pt) and a clean terminal theme for legibility

The recording — 60–90 seconds

Read each step aloud or use on-screen title cards. Times are approximate.

[0:00] Wire up enforcement

Type this live:

terminal — type this
behalf mcp init

Say: “This registers the BehalfID MCP server and writes the agent's permission context to the project.”

Show the two files created: .mcp.json and .behalf/context.md.

terminal
cat .behalf/context.md

Point out the Approval-Required Actions section and the numbered retry protocol.

[0:20] Launch the agent

terminal — type this
behalf claude

Say: “This launches Claude Code with enforcement active. Every verify_action call goes through BehalfID.”

In the Claude Code prompt, type:

claude code prompt
Deploy the current branch to production on vercel.com

[0:35] Approval gate fires

Claude Code calls verify_action("deploy_production", "vercel.com"). The MCP server returns the approval-required block. Claude pauses and shows:

what Claude reports
APPROVAL REQUIRED — do not execute this action.

Action:      deploy_production on vercel.com
Approval ID: apr_xxxxxxxx

A human must approve this request before the action can proceed.
Approve at: https://behalfid.com/dashboard/approvals

Say: “BehalfID blocked the production deploy. Claude is pausing and showing me the approval ID and where to go.”

[0:50] Approve in the dashboard

Switch to the browser tab. Show the BehalfID Approvals page. The pending request appears: deploy production → vercel.com with the agent name. Click Approve.

Say: “One click. A 30-minute grant window opens. The agent can now retry.”

[1:00] Agent retries — allowed

Back in the terminal, tell Claude: “I've approved the request in the dashboard. Please retry.”

Claude calls verify_action again. This time: allowed: true. The deploy runs.

Say: “BehalfID found the approved grant, marked it used, and let the deploy through. Every step — the block, the approval, and the allow — is in the audit log.”

[1:15] (Optional) Show the audit trail

terminal
behalf logs $(behalf config get agent-id)

Point out the two log entries: the approval_required decision and the subsequent allowed decision, both with their requestIds.

Cut points

For a tighter 60-second version, skip the cat .behalf/context.md step and the audit trail at the end. The core arc — wire, launch, block, approve, allow — fits in 55 seconds.

Narration notes

  • Be honest about scope: “BehalfID enforces at the MCP boundary. The check lives in the tool call, not in the model's memory — so it's not bypassed by prompt injection or jailbreaks that only affect the model's reasoning.”
  • Don't claim agents “can't” bypass it in all scenarios — the enforcement works where the integration is wired. An agent that calls vercel deploy directly without going through the MCP tool would not be caught.
  • The value prop: “For teams that want a human in the loop before production changes, this is a five-minute integration.”

Sharing

After recording, link to /docs/deploy-approvals for viewers who want to follow along. The full guide covers permission setup, MCP wiring, the approval lifecycle, and webhook integration.