for security reviewers

An agent that can act
needs walls, not vibes.

OpenDesktop assumes the agent will sometimes be wrong and builds the boundaries first: what it can touch, what it can spend, and what gets recorded.

The properties, plainly.

execution

Sandboxed tool runs

Commands and tools run in an isolated container on the local machine, with networking disabled by default and only the chosen workspace folder mounted in. The container is discarded after the run.

secrets

Keys live in the keychain

Provider API keys are stored with the operating system's keychain via encrypted storage, not in config files or plain text. In managed mode, provider keys exist only in the gateway and never reach a laptop.

identity

Native-app sign-in, done right

Desktop sign-in follows RFC 8252: the system browser, PKCE, and a loopback redirect. No credentials are ever typed into the app itself. Enterprise identity runs through WorkOS and your existing IdP.

spend

Budgets fail closed

The budget engine reserves cost before a request goes upstream. Unknown principals are denied, exhausted budgets are denied. There is no mode where spending silently continues.

capability

Allow-lists over everything

Models, connectors, and skills are governed by allow-list policy, scoped to orgs and groups. Web access is a capability like any other: it can be disabled per policy or per machine.

records

Logs without content

The activity log records who, when, which model, tokens, and cost per request. It is designed to never store prompt or response content, so the audit trail cannot become a data lake of everyone's work.

responsible disclosure

Found something? Tell us first.

We take reports seriously and respond fast. Include steps to reproduce and we will keep you posted from triage to fix.