Security Built In,
Not Bolted On

Your code stays local by default — connect GitHub only when you choose to. Every agent action logged. Zero-trust execution by design — available on every plan, not just enterprise.

Injection Detection
Agent Monitoring
Command Blocking
No Telemetry

Your Code Stays Local

Tendril agents run on your machine. API calls go directly from your machine to your chosen provider — Tendril servers never see your code or keys. GitHub sync is optional and you control when it happens.

Local MachineTendril AgentssupervisedSecurity Layerinjection scanbudget + sandbox.git .ssh .aws .env PROTECTEDAPI callLLM ProviderAnthropic / OpenAI / Googleyour accountresponse scanned for injectionOUR SERVERS — NO CODE ACCESS

All agent output scanned for injection before processing — protected paths auto-reverted on violation

Multi-Layered Agent Supervision

Every agent action passes through multiple security layers before execution. Injection scanning, command blocking, budget enforcement, and scope monitoring work together to keep agents on track.

Injection Detection

Directional trust model scans all untrusted content — agent output, tool results, file contents, and bash commands — against dozens of patterns across multiple categories.

  • Instruction override and role reassignment detection
  • System prompt extraction attempts blocked
  • Code execution and data exfiltration patterns caught
  • Hidden instruction markers and social engineering flagged

Agent Monitoring

Context-aware pattern detection tracks agent behavior in real time. Different thresholds for read-only, high-frequency, and write operations prevent false positives.

  • Loop detection: same operation repeated triggers quarantine
  • Stall detection: no new files or commands for extended time
  • Edit-cycle detection: repeated edits to the same file flagged
  • Auto-restart for stalled agents with retry context

Dangerous Command Blocking

Every bash command agents attempt to run is pre-screened against destructive patterns. Dangerous commands are blocked before execution.

  • Destructive rm, force push, hard reset blocked
  • Sudo, curl-pipe-shell, wget-pipe-shell caught
  • Fork bombs, device writes, eval injection stopped
  • Agent quarantined immediately on detection

Budget Enforcement

Smart budget system with soft and hard caps. Productive agents get extended budgets — unproductive agents get stopped. Cost velocity monitoring catches rapid burn.

  • Soft cap extends automatically if agent is making progress
  • Hard cap at 2x budget — absolute maximum, non-negotiable
  • Cost-per-minute velocity tracking detects runaway spending
  • Per-agent cost checkpoints for rate analysis

Protected Paths and Sandbox

Critical directories and files are protected from agent modification. Violations trigger automatic file reversion to restore previous state.

  • .git, .ssh, .aws, node_modules directories protected
  • .env files: agents can read but never overwrite
  • Scope violation tracking monitors cross-agent file conflicts
  • Sandbox reverts unauthorized writes via git restore

Quarantine and Recovery

When an agent trips a security boundary, it is killed immediately and restarted with context about what went wrong. Repeated failures escalate to the user.

  • Auto-restart up to 2 times with retry guidance
  • Third failure escalates: user chooses retry, trash, or manual
  • Every quarantine event logged with evidence
  • Process killed cross-platform (SIGKILL / taskkill)

See It in Action

Real screenshots from Tendril's security monitoring — injection detection and scope violation tracking.

Injection Detection

Agent output scanned in real time against 35 patterns

Tendril security panel showing a blocked injection attempt

Scope Violation Tracking

Agents flagged when they access files outside their assigned scope

Tendril security panel showing a scope violation event
All Tiers

Every Action, Logged in Real Time

A per-project security feed captures every file read, write, command, injection attempt, scope violation, and budget event. Events are persisted to disk and capped per project to prevent unbounded growth.

Tendril — Security FeedLIVE
All EventsAgent ActionsFile ChangesCommands
TimestampAgentActionTargetSeverity
2026-04-16 01:26:31Master AgentFILE_READsrc/auth/session.tsINFO
2026-04-16 01:26:45Sub-Agent #1FILE_WRITEsrc/auth/jwt.tsINFO
2026-04-16 01:26:59Master AgentPLAN_CREATEDImplement OAuth flowINFO
2026-04-16 01:27:13Sub-Agent #2COMMAND_RUNnpm test -- auth.spec.tsINFO
2026-04-16 01:27:27Master AgentGITHUB_READrepo: org/project@mainINFO
2026-04-16 01:27:41Sub-Agent #3SCOPE_DENIED../../../etc/passwdERROR
2026-04-16 01:27:55Sub-Agent #1FILE_WRITEsrc/components/Button.tsxINFO
2026-04-16 01:28:09Master AgentAPI_CALLanthropic.com — 14 tokensINFO
2026-04-16 01:28:23Sub-Agent #2BASH_BLOCKEDrm -rf / — blocked (sandbox)ERROR
2026-04-16 01:28:37Master AgentGIT_COMMITfeat: add auth middlewareINFO
Per-project event log, capped and persistedExport CSV ›

Security Questions & Answers

Common questions about how Tendril handles your data, agents, and privacy.

No. Tendril agents run entirely on your local machine. Your source code is never uploaded to Tendril servers. API calls go directly from your machine to your chosen AI provider using your own key. If you choose to connect a GitHub repository, that sync happens between your machine and GitHub — Tendril never receives your code.

Tendril uses a directional trust model. Content generated by Tendril (system prompts, role assignments, planning prompts) is trusted. Content coming from agents or external sources (agent output, tool results, file contents, bash commands) is treated as untrusted and scanned against dozens of injection patterns across multiple categories including instruction overrides, role reassignment, system prompt extraction, and social engineering attempts.

Tendril quarantines the agent — killing its process immediately — then auto-restarts it with retry context instructing it to take a different approach. If the agent fails repeatedly, Tendril escalates to you with options: retry once more, trash the subtask, or handle it manually. Every quarantine event is logged in the security feed.

No. Tendril does not collect usage telemetry, keystrokes, or any code content. You have full visibility into every agent action through the built-in security feed and audit log.

Security Questions?

We're happy to discuss our architecture, agent supervision model, or data handling practices for your organization.

Contact Security Team