Trust Levels

Trust levels define the tier of privilege an agent operates at. They form a strict ordering:

untrusted < sandboxed < trusted < privileged

The trust level determines:

  • Which capabilities can be declared in the manifest
  • Which kernel enforcement profiles are applied
  • What resources the agent can access by default

Levels

untrusted

Maximum isolation. Reserved for agents that should have no meaningful access to the system, such as untrusted third-party code, test agents, or proofs of concept.

Default capabilities: None (must be explicitly listed)
Typical use: tool.invoke:echo only

spec:
  trust_level: untrusted
  capabilities:
    - tool.invoke:echo

sandboxed

Standard level for most agents. Has access to a curated set of tools and can read/write within declared path scopes. Cannot access host-level resources.

Typical capabilities: fs.read, fs.write:<path>, tool.invoke:*, memory.read:*, obs.append

spec:
  trust_level: sandboxed
  capabilities:
    - tool.invoke:lm.complete
    - tool.invoke:fs.read
    - fs.read:/home/agent/**
    - memory.read:*
    - memory.write:*
    - obs.append

trusted

Broader access. Can write files to wider path scopes, access local network, use secrets, and spawn child agents.

Typical capabilities: All sandboxed capabilities plus fs.write:<wide-path>, net.local, secret.use:* (subject to policy)

spec:
  trust_level: trusted
  capabilities:
    - tool.invoke:lm.complete
    - tool.invoke:web.fetch
    - tool.invoke:web.search
    - tool.invoke:fs.read
    - tool.invoke:fs.write
    - fs.write:/home/agent/research/**
    - secret.use:openrouter-key
    - obs.append

privileged

Full access within the agent world. Reserved for system-level agents (e.g. the root orchestrator). privileged does not mean host root access; the runtime system directories (/usr, /lib, /bin) are always outside every agent's write scope.

Note: Use privileged sparingly. Most agent workloads should use sandboxed or trusted.

spec:
  trust_level: privileged
  capabilities:
    - "*.*"

Enforcement

Trust levels affect the kernel profiles derived at spawn time:

  • untrusted: strictest seccomp allowlist, most restrictive AppArmor profile, lowest cgroup cpu.shares
  • sandboxed: standard seccomp allowlist, AppArmor profile for workspace access only
  • trusted: expanded seccomp, AppArmor allows broader network and file access
  • privileged: minimal restrictions, but still isolated from host system paths

Capability Escalation

An agent cannot declare capabilities that exceed its trust level. The daemon validates capability declarations at spawn time. If an agent at sandboxed trust level attempts to declare a capability reserved for trusted agents, the manifest is rejected.

Runtime capability grants (via ash grants or the escalation hierarchy) can temporarily extend an agent's capabilities within the bounds of its trust level.