Architecture Overview
IDfunction Agent is built around two core concepts: the AI Harness (the platform itself) and Workspaces (per-project environments where work happens). Understanding how these fit together helps you get the most out of the platform.
The big picture
┌─────────────────────────────┐
│ IDfunction Agent │
│ idfagent.evolutionid.cloud │
│ │
Developer ──────► │ Browser workspace │
(EvolutionID) │ ├── Chat interface │
│ ├── File browser │
│ └── Git operations │
└───────────┬─────────────────┘
│
┌───────────▼─────────────────┐
│ Agent Runtime │
│ Manages sessions, repos, │
│ credentials, and sandboxes │
└───────────┬─────────────────┘
│
┌─────────────────┼──────────────────┐
│ │ │
┌─────────▼──────┐ ┌───────▼──────┐ ┌───────▼──────┐
│ Coding Agent │ │ GitHub │ │ LLM Provider │
│ Claude Code │ │ Repository │ │ Anthropic / │
│ DeepAgents │ │ (per │ │ OpenAI / │
│ (in sandbox) │ │ workspace) │ │ Google │
└────────────────┘ └──────────────┘ └──────────────┘
Components
The AI Harness (web application)
The platform itself — the web app you access at idfagent.evolutionid.cloud. It provides:
- The browser-based chat interface where you interact with the AI agent
- Workspace management (create, configure, archive)
- File browsing and git operations without needing a local terminal
- Model library for managing AI provider API keys
The harness runs in the EvolutionID cloud and is only accessible to authorised EvolutionID staff.
Workspaces
A workspace is the central unit of work. Each workspace ties together:
- A GitHub repository — either forked from a base PIAM template or attached to an existing repo
- An AI agent configuration — which agent type and which AI model to use
- An active session — the live connection between your browser and the coding agent
Every customer engagement gets its own workspace with its own isolated repository.
Coding Agents
The AI agents that actually read and write code. IDfunction Agent supports:
| Agent | Mode | Best for |
|---|---|---|
| Claude Code | Interactive (live) | Complex tasks, multi-step work, questions |
| Claude Code | One-off (autonomous) | Single well-defined tasks |
| DeepAgents | Interactive (live) | Exploratory work |
| DeepAgents | One-off (autonomous) | Batch operations |
In interactive mode, the agent runs as a live session — it can ask questions, and you can guide it in real time. In one-off mode, it runs autonomously to completion without interaction.
Sandboxes (microVM isolation)
When sandbox mode is enabled, each workspace's coding agent runs inside a dedicated microVM — a lightweight virtual machine that is completely isolated from other workspaces and from the host server.
This means:
- The agent can only access files in its own workspace repository
- A runaway or misbehaving agent cannot affect other workspaces
- Resource usage (CPU, memory) is capped per workspace
Sandboxes are enabled in production. The repository files inside the sandbox persist between sessions — powering off a sandbox does not lose work.
LLM Providers
The AI intelligence behind the agents. You bring your own API keys for whichever providers you use:
- Anthropic — Claude models (Haiku, Sonnet, Opus)
- OpenAI — GPT-4o and o-series models
- Google — Gemini models
- Groq — Open-source models with fast inference
- Together AI — Open-source models
API keys are stored encrypted and are never exposed in logs or API responses.
GitHub
Every workspace is backed by a real GitHub repository. The platform handles:
- Forking a template repo to create a new isolated customer repository
- Authenticating git push operations without storing credentials in the repo
- Showing git status (modified files, unpublished commits) in the sidebar
Security boundaries
- Authentication — the platform requires EvolutionID SSO or credentials to access
- Workspace isolation — developers can only access their own workspaces
- Sandbox isolation — each agent runs in its own microVM with no cross-workspace filesystem access
- Encrypted credentials — all API keys are encrypted at rest with AES-256-GCM
- Audit trail — all workspace operations are logged for compliance