SHEPHERD

Self-extending AI agents. Sandboxed by default.

Phase 1: Live

↓

How it works

Send a message. Get sandboxed execution.

Send

A message arrives via Telegram or gRPC. The agent receives intent and context.

→

Sandbox

Code is SAST-scanned, compiled to WASM, and executed inside a wazero sandbox with capability tokens.

→

Result

Output is returned. Every action is logged to an HMAC-chained audit trail. No side effects leak.

Security model

Three layers. Zero trust.

SAST

Static analysis before compilation. Blocks os.Getenv, hardcoded secrets.

WASM

wazero sandbox. 30s timeout. 10MB memory. No filesystem access.

Policy

Capability tokens. URL allowlists. HMAC-chained audit log.

What's built

Phase 1 — live and verified.

SAST Scanner

11 tests

Capability Tokens

HMAC-SHA256

Audit Log

SQLite + HMAC

WASM Runtime

wazero 30s

gRPC Contract

Protobuf buf CI

Rate Limiting

token bucket

71 tests. All green.

Roadmap

Honest about where we are.

Phase 1 — Live

WASM Sandbox
SAST + Tokens
HMAC Audit Log
gRPC + buf CI
Rate Limiting

Phase 2 — Q2 2026 — Next

Extension Versioning
Scratchpad
mTLS
Log Rotation

Phase 3 — Q3 2026 — Planned

Multi-User
OPA Policies
Human Approval
NIS2 Mapping

Phase 4 — Q4 2026 — Planned

Web UI
1000+ Scale
Multi-Tenant
Dual-Agent

Self-extending AI agents don't need god-mode permissions. They need boundaries that prove themselves.

Risk Reduction

Every agent action is sandboxed, scanned, and audit-logged. No silent failures, no untracked side effects.

Compliance Path

HMAC-chained audit trail, capability tokens with TTL, and static analysis create a verifiable trust chain.

Proven Isolation

WASM sandbox with no filesystem access, memory limits, and execution timeouts. Not theoretical — running in production.

Low Overhead

Single Go binary. Docker Compose up. gRPC contract. No Kubernetes required, no vendor lock-in.

View on GitHub Executive One-Pager hello@pcas.io