Your agent can ask.
It can't sign.
DAEMON exists because agents are initiating on-chain actions through tools that can read your private keys. The defense is a boundary, not a promise: keys sealed where agents can't reach, a policy engine in front of every signature, and a receipt after every action.
Keys live in an OS-encrypted vault
Private keys are encrypted with the operating system's key store (DPAPI on Windows, Keychain on macOS) and never written to disk in plaintext. Keys never serialize across the agent boundary, not to your agent, not to us. An agent can request a signature; it cannot read the key, the seed, or the vault file.
A mainnet signer guard in front of every transaction
Every transaction passes a guard before signing. On mainnet, the guard enforces approval requirements and spend caps; nothing signs silently. The guard lives in the execution path itself, so a misbehaving tool or skill cannot route around it.
Policy decides before you ever see a card
Allowlists, per-transaction caps, and cluster rules run on every request. Inside policy, actions auto-approve and you stay out of the loop. Outside policy, you get an approval card with a simulation diff. Unknown programs are blocked outright.
Risk-tiered tool gateway
Every tool an agent can call is classified: reads run automatically, writes require approval, sensitive operations require typed confirmation. On-chain tools are marked [MAINNET] and re-validate the cluster at execution time.
Agent swarms run sandboxed
Parallel agent lanes run headless in isolated git worktrees with push disallowed and API keys stripped from the environment. A lane can propose work; it cannot exfiltrate credentials or publish code.
A signed receipt for every action
Every executed action records what was requested, which policy approved it, and the resulting signature. Receipts are verifiable against the chain, so you can prove what your agent did, and what it didn't.
An independent security audit has not been published yet. When it is, the full report will live on this page, not a summary, the report. Until then, the signer guard and vault code are open source: read it yourself.
Found something? Report it privately to hello@daemon.computer and we'll respond fast.