How we protect your agent

We locked the front door — only people with a special key file can log into the server. Password authentication is completely disabled.

We blocked all outside traffic by default — the server ignores everyone on the internet unless we specifically allowed them in.

The server is basically invisible — it's only reachable through a private network called Tailscale, like a secret tunnel only our devices know about.

Any IP address that tries to break in gets automatically banned after a few failed attempts. An always-on bouncer that never sleeps.

Only you can talk to the bot — we made a whitelist so the bot only takes commands from your account, nobody else.

The bot can only do a limited set of things — even if someone tried to trick it, it can only run a small list of approved commands, nothing dangerous.

When we connect to email or file storage, we give the bot the bare minimum permissions — like a read-only library card instead of a master key.

Passwords and tokens are stored with restricted permissions so other programs on the server can't peek at them. Sensitive info is locked up tight.

We ran a full security audit before going live — a built-in tool scanned everything and gave it the green light. Every instance is verified before it reaches you.