blog index

Safety And Operations

Security boundaries, data handling, dashboards, and failure behavior.

snapshot 2026-05-05 source README.md, install/README.md, mobile docs, safety-investigation/ local worktree guide

Safety Boundary Flow

LLM model-involved step
1Request Or SignalA user action, collector row, or agent request enters agentropy.
what it is
A user action, collector row, or agent request enters agentropy.
triggered by
Any request, collector row, browser action, or agent tool path enters agentropy.
hands off to
Local Policy
2Local PolicyAuth, device roles, invariant ceilings, and no-transmit rules are checked.
what it is
Auth, device roles, invariant ceilings, and no-transmit rules are checked.
triggered by
Auth, device, policy, or invariant checks run before action.
hands off to
Redaction
3RedactionTokens, OTPs, raw banking rows, and sensitive context are stripped or summarized.
what it is
Tokens, OTPs, raw banking rows, and sensitive context are stripped or summarized.
triggered by
A payload may include tokens, OTPs, banking context, private text, or raw rows.
hands off to
Vendor Pin
4Vendor PinPrivacy rules may force one vendor or block fallback.
what it is
Privacy rules may force one vendor or block fallback.
triggered by
Privacy rules require one vendor path or block fallback.
hands off to
Model Call
5Model CallLLMOnly allowed summaries and prompts enter the selected LLM path.
what it is
Only allowed summaries and prompts enter the selected LLM path.
triggered by
The prompt has passed local policy and redaction.
hands off to
Approval Gate
6Approval GateExternal messages, destructive actions, and high-risk changes wait for the operator.
what it is
External messages, destructive actions, and high-risk changes wait for the operator.
triggered by
The action would affect another person, external system, money, secrets, data, or git history.
hands off to
The next local run, dashboard view, or review loop.
Sensitive data is filtered before model entry. External effects still require approval.

Boundary

Network Boundary

The internal daemon port is loopback-only. The public side is intended for Tailscale Funnel and requires tokens or mobile device credentials for sensitive routes.

The HTML chat and dashboard pages can load unauthenticated so a device can enter or store credentials. The data routes behind them perform authorization.

Data

Sensitive Data Handling

Runtime state lives under ~/.agentropy/proxy/, with sensitive files written with owner-only permissions where the code controls the write.

LLM boundary Banking and credential-like data get special treatment: denylist checks, local-only raw storage, summaries instead of raw rows to LLMs, and explicit no-transmit boundaries where configured.

Push payloads and logs redact or omit tokens, OTPs, full chat bodies, and sensitive approval context.

Ops

Operational Dashboard

/dashboard shows daemon health, periodic jobs, agent sessions, chat sessions, recent events, and event sources.

/growth-governor.json and the mobile projections expose loop state without requiring the user to inspect files manually.

Failure

Failure Posture

Agentropy should mark missing data as missing. It should not fake context when Chrome, a vendor, a collector, Tailscale, Relay, or a login session is unavailable.

Most failure paths either write an unavailable row, surface a dashboard state, or create an approval or inbox item. Silent success is the failure mode to avoid.