The short version of what I built:
Security: Every agent runs in its own Docker container or microVM. A vault proxy sits between agents and every LLM call — the agent sends a request, the proxy injects the credential at the network layer, the agent gets back a response. Keys never exist inside the container. Six independent security layers on by default, including per-agent ACL matrices and Unicode sanitization to block invisible-character prompt injection.
Cost control: Per-agent daily and monthly budgets with a hard cutoff enforced at the vault proxy. The agent physically cannot make an LLM call that exceeds its budget. Zero markup on LLM usage — you pay your provider directly at their rates. 100+ providers via LiteLLM with configurable failover chains.
Orchestration: Deterministic YAML DAG workflows. No LLM deciding what runs next. Four patterns: sequential, parallel, supervisor, hierarchical. Every execution path is predictable and auditable.
The rest: Camoufox stealth browser (C++-level anti-detection, CAPTCHA solving), persistent per-agent vector+BM25 memory with temporal decay, MCP tool support, real-time fleet dashboard, Telegram/Discord/Slack/WhatsApp channels, cron + webhook triggering, agents can write and hot-reload their own Python skills at runtime.
The engine is ~30,000 lines of Python with 2,100+ tests. Self-hosted runs on one machine — no Redis, no Kubernetes, just Python 3.10+, Docker, and an API key. Three commands to start.
For context: the dominant framework in this space is OpenClaw (200K+ stars). CVE-2026-25253 was reported in February — critical RCE, 42,000 exposed instances with no authentication, 341 malicious skills confirmed stealing user data. I'm not trying to replace it, but that's why I think this gap exists.
We launched in February 2026. Zero CVEs. BSL 1.1 license — source-available, not open source, and I want to be clear about that. Managed hosting starts at $19/month with a 7-day free trial. Self-hosted is free.
Happy to get specific about the security model or architecture — genuinely curious where people think the threat model breaks down.