Most agent frameworks ask the model nicely to behave. NerdAlertAI doesn't ask — it enforces. Every safety property here is structural: built into the code path, not written into a prompt the model could talk its way around.
You set one number in config. Every tool declares the minimum level it needs. If the tool's floor is above your granted level, the call is refused before the tool ever runs — there is no code path around it.
Time, memory, help. The basics with no outside reach.
Email triage, calendar, weather, web search. Looking, never touching.
Host metrics, SOC dashboards, network telemetry. Observing infrastructure.
Send the email. Write to the repo. Every action raises an approval card first.
Scheduled and triggered actions, with full provenance in the audit trail.
Reserved for the most privileged operations. Most installs never grant it — and that's the point.
Every tool execution — no matter which model, personality, or interface requested it — passes through a single permission broker. The broker checks the trust floor, checks your config, validates the arguments, and raises the approval card when one is required. Modules can't skip the line because there is no other line.
When the agent wants to take a real-world action, you see exactly what it intends to do — the tool, the target, the content — before anything happens. Deny it and the tool simply never runs. There is nothing to roll back, because nothing executed. Even when the agent is operating below a tool's trust floor, it can ask — and that elevation request becomes a card for you to judge too.
The card is raised by the broker, not by the model. A confused or compromised model can't skip it, because the gate sits below the model in the stack. Try it →
The design philosophy, in one line: don't tune a prompt to discourage a bad outcome — build the system so the bad outcome has no code path.
Credentials are entered through a loopback-only setup page and stored in your OS keychain. The agent's hard rule: a credential pasted in chat is refused and redirected, no matter who's asking.
Tools are enabled, disabled, and capped in a single config file that you own. The agent can read its limits. It cannot edit them.
Every capability outside the core loop is a module that's dormant by default. Disable one and the agent behaves as if it never existed — no degraded mode, no surprises.