Run it

Security & privacy

Brigade is a local CLI. Your keys and data never leave your machine, privileged actions wait for your approval, and untrusted sources cannot rewrite what your crew believes about you.

Ownership gates#

Every privileged tool is owner-gated, in one of two ways. A blanket owner-only tool is never offered to a non-owner peer. A per-call ownership gate offers the tool but branches on the caller, giving per-action granularity — a peer can run cron list but not cron add. See Tools for the full posture.

The bash allowlist#

The bash tool is additionally gated by a per-agent approval allowlist. A command runs only if it is approved; otherwise it surfaces for your sign-off. Manage the allowlist from the CLI:

$ brigade exec list$ brigade exec allow "git status"$ brigade exec allow-pattern "^npm (run|test)"$ brigade exec remove "git status"$ brigade exec file              # path to the approvals file

Secrets in config#

Secrets in brigade.json use ${VAR_NAME} references. They resolve at read time and are restored on write — the resolved value is never persisted back to disk. Scan your install for accidentally leaked credentials:

$ brigade secrets audit

Memory poisoning & isolation#

Two memory properties are load-bearing for safety:

• Provenance write-gate — an untrusted source (a web page, a tool result) cannot author or overwrite your identity, preferences, or corrections. Poisoning writes are rejected.
• Per-origin isolation — auto-recall injects only origin-matched facts and fails closed for unknown peers, so operator memory never leaks into an untrusted conversation.

See Memory (Tideline) for the full model.

Privacy#

• Your API keys are stored in your home directory at mode 0600 and used only to talk to the providers you connect.
• No telemetry, no analytics, no cloud component.
• For Ollama and custom endpoints, requests stay on your network.
• The gateway binds to 127.0.0.1 by default.
• Everything is under ~/.brigade/ — rm -rf ~/.brigade wipes it clean.