Isolation per company, secrets in the OS keychain, human consent on sensitive actions — autonomy without opacity.
Isolation
- Per-company isolation: memory, threads, agents, and configuration are strictly partitioned per company (tenant), with agent-level partitioning inside a company.
- Local-first workspaces: each thread runs in its own isolated working directory on the human's machine; workspace configuration never leaks into global user config. Repositories are cloned per thread rather than shared through git worktrees, so parallel threads never collide on git state (see Architecture).
- Model locality: with local providers (Ollama, self-hosted OpenAI-compatible endpoints), inference never leaves your infrastructure.
Secrets
- API keys and OAuth tokens are stored via the operating system's secure storage — Keychain on macOS, DPAPI on Windows, libsecret on Linux — never in plaintext files.
- Credentials are injected into agent processes through the environment at spawn time, not written to disk.
Permission gating
Sensitive tool executions go through a permission system:
- Deny rules always rank first — no allow shortcut can precede them.
- Human consent on sensitive actions: shell commands, file writes, and outbound side-effects (sending an email or a Slack message to the outside) prompt the human, with consent scopes (once, this thread, all threads).
- Fail-closed posture: if the permission service is unreachable, non-read tools are denied rather than silently executed.
- Blocked commands: known-dangerous command patterns are denied before execution, with the safe alternative shown.
- Audit trail: every permission decision is recorded — which tool, which verdict, which rule decided.
Agents that protect themselves
Companions carry guardrails as part of their identity: they don't reveal their internal instructions, resist impersonation and presupposition attacks, and accept identity or memory changes only from their own human. These guardrails travel with the companion across every runtime.
Operational safety
- Runaway protection: process limits, cooldowns, execution timeouts, and clean process termination.
- Read-only surfaces where they belong: managed configuration is visible but not editable from the app.