Your Agent's Code Can Use Your Services
An agent writes Python; the code posts a file to Slack, sends an email, saves a memory. That code runs in a sealed sandbox — yet the call reaches the real service, under the real user, with real consent checks. The trick is a relay: the request rides KDCube's durable message lane to the service's home process and the answer rides back.
Agent-generated code executes in an isolated runtime: the code itself in a no-network executor, platform tools beside it in a supervising sidecar. That sidecar knows who is asking (the portable context room travels with every execution) and which app serves the namespace — but the live in-process caller that a direct agent call uses exists only in the host server. The relay closes that last hop.
The round trip
- Same identity end to end. The message carries the requesting user — id, roles, permissions, authority — copied from the restored context. The worker binds it before the provider runs, so consent claims and connected accounts resolve for the real user. A runtime with no bound identity is refused outright; nothing anonymous is relayed.
- Exactly-once effect on an at-least-once lane. The lane redelivers when a process dies between doing the work and acknowledging it. The relay handler records its response per message id and answers redeliveries from the record — a re-delivered "send" returns the first send's result instead of a second email.
- One handler makes a service reachable. The always-running services app ships it, so mail, Slack, and conversations work out of the box; any app serving its own namespace joins with three lines.
The use case that proves it: consent from inside code
The user asks the agent to post a diagram to Slack, and the agent decides to do it in code. The Slack file-upload approval hasn't been given yet.
First run: the generated code calls upload_file; the relay carries it to
the Slack provider; the provider finds no slack:files:write approval for
this user — and answers with the same structured consent error a direct call gets,
including the Connection Hub link. The code fails honestly, the agent reports it, and
the consent card reaches the person in chat. They approve once. Next run — same code,
same call — the provider finds the approval and the file lands in Slack.