IT / Admin Notes

This page is written for IT administrators and security reviewers evaluating CRAFT for organizational deployment. It summarizes the execution model, network behavior, verification architecture, and deployment considerations.

Execution Model

CRAFT automations execute locally inside the CAD host application (Autodesk Revit or Civil 3D) on the end user's workstation. There is no cloud execution path, remote code execution, or server-side automation processing.

The CRAFT server provides three passive services:

  • Artifact registry — stores and serves signed automation packages; read-only from the client's perspective once published
  • License service — issues and refreshes machine-bound activation tokens
  • Signing service — signs artifacts at publish time using the CRAFT signing key

The server never receives, interprets, or executes automation logic. It does not receive model data, design files, or host environment information.

Network Behavior

CRAFT makes no hidden or undisclosed network calls. Every network operation is surfaced through the Preview/Validate Gate's egress disclosure panel before it occurs. Users must explicitly acknowledge network calls.

Expected Network Calls

  • License activation — one-time call to the license server to bind a seat to a machine
  • Token refresh — periodic call (at most once every 7 days) to renew the activation token
  • Registry operations — publish (upload) and download of signed automation packages, when the user explicitly initiates these operations
  • Trust anchor fetch — optional, only if configured to fetch trust anchors from the server (default is embedded-only)

All network calls use HTTPS. No data is sent to third-party services.

Offline Operation

After activation, CRAFT operates fully offline for up to 7 days. During this window, all local operations (run, export, validate) work without network access. Only registry operations (publish, download) require connectivity.

No Telemetry by Default

Telemetry is disabled by default. No usage data, analytics, crash reports, or diagnostic information leaves the user's machine unless the user explicitly opts in through the egress disclosure flow. When disabled, all data retention is local.

No Host Context Egress

Host context — open model information, file paths, environment variables, machine state — never leaves the user's device without explicit per-operation opt-in. This is a locked default. There is no administrative override that silently enables host context egress.

Artifact Integrity and Verification

  • Artifacts are cryptographically signed at publish time
  • Signatures bind to a SHA-256 content hash of the artifact
  • Deterministic serialization ensures identical content always produces the same hash
  • Deterministic packaging ensures identical content always produces the same artifact
  • Verification happens client-side against embedded or configured trust anchors
  • Failed verification blocks import — enforced by the Gate, no user override

Versioning and Immutability

Published artifacts use semantic versioning and are immutable once published. The server rejects any attempt to overwrite an existing version. Updates require publishing a new version. The artifact state machine is: draft → published → deprecated.

Authentication and Tenant Isolation

Users authenticate with credentials issued per tenant. All artifact, license, and entitlement data is scoped to a tenant. Strict tenant isolation is enforced server-side — cross-tenant access is not possible, and the system is designed to prevent information leakage between tenants.

License Architecture

  • Machine-bound activation with cryptographically signed tokens
  • Offline operation supported between periodic refreshes
  • Seat-based entitlements (Runner, Creator, Approver/Maintainer)
  • No consumption metering, credits, or token currency
  • Standard token lifecycle enforcement for revocation

Deployment Considerations

  • CRAFT installs as a standard host add-in — no background services, daemons, or system agents
  • No elevated privileges required for normal operation (installation may require standard installer privileges)
  • Network requirements are minimal: HTTPS to the license server (activation/refresh) and artifact registry (publish/download)
  • For fully air-gapped environments, automations can be transferred via exported zip packages and validated locally
Questions for your deployment? If you need additional detail for a security review or compliance assessment, contact us directly.
Previous: Licensing Next: Troubleshooting