Sandboxed tool runs
Commands and tools run in an isolated container on the local machine, with networking disabled by default and only the chosen workspace folder mounted in. The container is discarded after the run.
for security reviewers
OpenDesktop assumes the agent will sometimes be wrong and builds the boundaries first: what it can touch, what it can spend, and what gets recorded.
Commands and tools run in an isolated container on the local machine, with networking disabled by default and only the chosen workspace folder mounted in. The container is discarded after the run.
Provider API keys are stored with the operating system's keychain via encrypted storage, not in config files or plain text. In managed mode, provider keys exist only in the gateway and never reach a laptop.
Desktop sign-in follows RFC 8252: the system browser, PKCE, and a loopback redirect. No credentials are ever typed into the app itself. Enterprise identity runs through WorkOS and your existing IdP.
The budget engine reserves cost before a request goes upstream. Unknown principals are denied, exhausted budgets are denied. There is no mode where spending silently continues.
Models, connectors, and skills are governed by allow-list policy, scoped to orgs and groups. Web access is a capability like any other: it can be disabled per policy or per machine.
The activity log records who, when, which model, tokens, and cost per request. It is designed to never store prompt or response content, so the audit trail cannot become a data lake of everyone's work.
We take reports seriously and respond fast. Include steps to reproduce and we will keep you posted from triage to fix.