No remote shell
The Native App and Personal Console cannot run commands on your machine.
// security model
Secure because your phone is not a shell.
Agent Tick does not accept arbitrary remote prompts, remote commands, or remote terminal input. The local agent defines a bounded request; Agent Tick routes only the allowed response back.
The remote surface can answer the question. It cannot change the question.
Allowed Selected response
Approve, deny, or choose from options the local agent already supplied.
Blocked- New remote prompt
- Remote shell command
- Terminal input stream
// what it cannot do
What remote surfaces cannot do
Agent Tick narrows the remote surface to bounded request/response routing. The Native App and Personal Console are decision surfaces, not executors.
No arbitrary prompt input
You cannot type a new instruction into the local agent from the phone.
No permission skipping
Agent Tick preserves the review point instead of bypassing it.
No broad executor
The remote surface only answers the request shape the local agent created.
No workflow takeover
Execution stays inside the local agent environment.
No hidden black box requirement
You can inspect and self-host the service as a Self-Hosted Deployment.
// bounded loop
The remote surface can answer the question. It cannot change the question.
The important boundary is the response shape. Agent Tick can return the selected option or approval result for the request that already exists; it cannot invent a new command or prompt for the local agent to run.
creates bounded request
routes request
user selects allowed answer
returns selected response only
continues locally or stops safely
// tradeoff
The tradeoff Agent Tick is designed around
Agent Tick does not claim the same “full control” as sitting at the terminal. It preserves the boundary that matters: no arbitrary remote command or prompt channel.
Local-only
- Keeps
- Control + security
- Gives up
- Speed
- Why it matters
- The run stalls when you step away.
Remote shell/full-auto
- Keeps
- Speed
- Gives up
- Security boundary
- Why it matters
- Too much authority moves to the remote surface.
Agent Tick
- Keeps
- Speed + bounded security
- Gives up
- Arbitrary remote control
- Why it matters
- The local agent keeps control of the request shape.
// trust and self-hosting
You do not have to trust hosted Agent Tick as a black box.
Hosted Agent Tick is convenience. The security model is intentionally narrow and inspectable: source-available code, self-hostable service, revocable agent connections, and bounded request/response routing.
Source-available
Inspect how bounded request routing works before relying on it.
Self-hostable
Run the service on your own infrastructure as a Self-Hosted Deployment.
Minimal routed content
Bounded request details, allowed responses, selected answer, and routing metadata.
Revocable connections
Agents and devices can be disconnected when access should end.
// security faq
Security FAQ
Can the phone run commands?
No. The Native App can answer bounded requests. It cannot open a shell or execute commands on your machine.
Can I type arbitrary instructions remotely?
No. The remote surface cannot change the request shape. It can only choose from the allowed responses created by the local agent.
What gets sent through Agent Tick?
Request type, prompt/context needed to decide, allowed responses, selected response, and routing metadata.
What stays local?
The working tree, terminal, commands, agent process, and execution environment stay in your local agent environment.
What happens when I deny a Sanction?
The local agent receives the denial and should stop or choose a safer path instead of continuing the requested action.
Can I answer locally instead of from the Native App?
Yes. A Mirrored Prompt can be answered in the Local Agent Interface or in the Native App. The first answer resolves it everywhere.
Can I self-host?
Yes. Agent Tick is source-available and self-hostable for users who want to run the service on their own infrastructure.
Why use hosted Agent Tick at all?
Hosted Agent Tick is convenience: setup, routing, and push delivery without running your own service. The security model stays intentionally narrow either way.