The public demo intentionally uses in-memory gateways, but the execution model is designed as if it were operating against live systems.
Every task declares the capabilities it requires. Agent sessions are created with an explicit capability set. The policy engine checks the requested task against the granted capabilities and fails closed.
Practical effect:
- a read-only GitHub agent cannot open a PR
- a briefing agent cannot place portfolio actions unless explicitly granted
- a personal assistant agent can read wearable context without being able to modify unrelated systems
Each spawned agent has its own session id and history. Persistent memory is bounded to that session; one-shot specialists do not inherit unrelated context.
This matters because multi-agent systems become brittle when state leaks across workflows. A PR review agent should not inherit portfolio notes, and a trading workflow should not inherit inbox context.
Results are sanitized before they are logged or returned. The demo redactor handles several common secret patterns and is easy to extend.
The architectural point is more important than the regex list: logs should be treated as an exposure boundary.
Every execution path records:
- actor
- task name
- outcome
- timestamp
- redacted detail
This makes the system easier to debug and easier to trust.
The public repo deliberately stops short of touching real external systems. “Open PR” and “rebalance portfolio” are represented as simulated actions that still produce human-readable artifacts.
That is the right boundary for a portfolio project because it proves the integration pattern without requiring real credentials or risky side effects.
- connector-specific service accounts
- expiring credentials and secret managers
- approval gates for destructive operations
- structured traces and replayable audit events
- rate limiting and backoff on external systems
- per-domain data retention rules