Docs

Security model

Keys live in the OS keychain. Agents get capabilities, never bytes.

Key custody

Daemon is non-custodial. Keys are encrypted with the operating system keychain and never leave your machine. There is no server-side wallet, no key sync, and no export path an agent can reach.

Capabilities, never bytes

Agents never see key material. They request typed actions from a tool catalog, and every tool carries a risk tier that decides how it runs:

  • Read tools run automatically.
  • Write tools wait for your approval.
  • Sensitive tools require a typed confirmation.

On-chain tools are marked for mainnet and re-validate the cluster before they execute, so a devnet plan cannot silently become a mainnet transaction.

Isolation

Parallel agent lanes run in separate git worktrees with a minimal environment. Pushing is blocked at the git layer inside a lane, and provider API keys are stripped from lane processes.

Auditable by design

The core is open source under the MIT license, and every action an agent takes ends as a signed receipt you can inspect. If you cannot verify it, Daemon does not ask you to trust it.