For security

Secure agent sandboxes that minimize blast radius.

Isolated, ephemeral sandboxes with no tokens on the box. Per-user scoping. Ingress/egress rules. Real-time compliance checks. Real-time malicious behavior prevention.

Block access outside a user's scope

# payments-eng
--isolation

Why are Nori cloud agents more secure than local agents?

Risk Nori agents Local agents
Access Isolated sandbox only

The agent never sees the host machine. Work stays inside an ephemeral session

Anything on the laptop

Files, keys, browser sessions, email—the agent can reach whatever the user can

Setup Secure by default

Scopes, ingress/egress rules, and compliance checks ship with the environment

Hard to lock down correctly

Per-machine policies, drift, and exceptions make a secure local setup extremely hard

Credentials No tokens on the box

Short-lived, scoped credentials never enter the session machine

Secrets live on the box

API keys and tokens sit on disk, waiting to walk out with the laptop

--controls

Per user/team scopes.

Define what each person and team can reach. Every session only gets the access its role is granted—nothing more.

Tokens never enter the box, the agent never leaves.

Credentials stay short-lived and scoped. Work stays inside the session. Nothing sits on a laptop waiting to walk out the door.

Fully auditable traces.

Every session and every action is logged and searchable. Answer what ran, where, and on whose behalf—before the incident review.

Prevent non-compliant use.

Legal and regulatory asks are stopped immediately—before the agent answers. Credit decisions, medical advice, and other regulated acts stay with licensed humans.

--ship

Just @nori. It ships.