Security model
Keys live in the OS keychain. Agents get capabilities, never bytes.
Key custody
Daemon is non-custodial. Keys are encrypted with the operating system keychain and never leave your machine. There is no server-side wallet, no key sync, and no export path an agent can reach.
Capabilities, never bytes
Agents never see key material. They request typed actions from a tool catalog, and every tool carries a risk tier that decides how it runs:
- Read tools run automatically.
- Write tools wait for your approval.
- Sensitive tools require a typed confirmation.
On-chain tools are marked for mainnet and re-validate the cluster before they execute, so a devnet plan cannot silently become a mainnet transaction.
Isolation
Parallel agent lanes run in separate git worktrees with a minimal environment. Pushing is blocked at the git layer inside a lane, and provider API keys are stripped from lane processes.
Auditable by design
The core is open source under the MIT license, and every action an agent takes ends as a signed receipt you can inspect. If you cannot verify it, Daemon does not ask you to trust it.