Pillar 3 — Agents

AI Agents

Your AI agents, on your trust boundary.

Connect Claude Desktop, Claude Code CLI, Cursor, Gemini CLI, VS Code Copilot, ChatGPT, OpenClaw, or Hermes — three install modes for the fully-local Hermes path. Five minutes from install to first tool call.

Get BoxOwl See the install paths

MCP-native Per-tool scope grants Every read auditable

01 / CONNECT

Connect any AI host

One command installs the BoxOwl skill into Claude Desktop, Claude Code, Cursor, VS Code Copilot, Gemini CLI, ChatGPT — or any MCP-speaking harness.

cli

stdio

MCP · ready

02 / GRANT

Grant per-tool scopes

The agent asks for what it needs; you authorize each tool, each category, each field. Risky actions pause for a confirmation prompt before they run.

read

write

confirm-mode

03 / AUDIT

Every read recorded

Per-agent audit log on your device. See every tool call, every read, every denied call. Exportable as a signed Open Audit receipt under CC0.

tools

reads

activity log

Engine-agnostic

Eight hosts at launch. One installer.

BoxOwl works with whatever AI you already use. The @boxowl/skills installer handles the per-host wiring; Hermes is the recommended fully-local engine, with three install modes to fit your stack.

Hermes Tier A · fully local Setup →

Claude Desktop Tier B · model cloud Setup →

Claude Code CLI Tier B · model cloud Setup →

Cursor Tier B · model cloud Setup →

Gemini CLI Tier B · model cloud Setup →

VS Code Copilot Tier B · model cloud Setup →

ChatGPT Tier B · model cloud · REST Setup →

OpenClaw Tier B · model cloud Setup →

All per-host walkthroughs

Trust boundary

Agents work on your behalf. Inside lines you draw.

BoxOwl's substrate isn't the agent — it's what the agent acts through. Per-tool scope grants, a confirm-mode matrix tuned per risk tier, and an audit log that records every move.

Per-tool scope grants

Each tool call carries an explicit scope. The agent asks; you authorize once per category, per field. Revoke a scope and the next call returns nothing.

Confirm-mode + risk tiers

Low-risk tools run silently; medium-risk pause for a yes/no; high-risk demand an explicit acknowledgement of the change being made. Risk tier per tool is the daemon's contract, not the agent's choice.

Audit log + login redeem

Every read, every write, every denied call recorded on your device. Login credentials redeem against a one-shot token — the agent never sees the password, only a placeholder the extension fills.

Composition partner

BoxOwl + Hermes Agent compose cleanly.

Hermes Agent ships built-in cron, twenty-plus outbound channels, an agentskills.io community catalogue, sandboxing, MCP support. BoxOwl ships the vault, per-field consent, audit log, scope grammar, login redeem, signed skill registry. Paired, the two cover the personal-agent surface without either trying to be the other.

Hermes Agent is third-party MIT-licensed open source. Install whichever orchestration you prefer; the pairing path is documented either way.

Connect BoxOwl to your Hermes

Ollama, vLLM, or Docker — pick the one you've already got.

We play nicely with your Hermes — or get you set up in one command. Detect whatever's already running on your machine, point BoxOwl at an endpoint you trust, or cold-start a vetted Docker stack. Either way the daemon writes the same ~/.boxowl/hermes.toml and you're talking to your model in one command. No bundled binary; no second runtime to babysit.

Detect an existing local runtime

You've already got Ollama, vLLM, llama.cpp, LM Studio, or TGI running. BoxOwl probes the usual ports and picks one up — Hermes-family models win the tiebreak when present.

# auto-detect Ollama / vLLM / llama.cpp / LM Studio / TGI
$ boxowl-daemon hermes detect
ok · using ollama at http://127.0.0.1:11434
ok · model: hermes-3-llama-3.1-8b

Point at an external endpoint

Your runtime lives on another box on the LAN, behind a tunnel, or on a managed Hermes endpoint. Hand BoxOwl the URL and an optional API key.

# any OpenAI-shape /v1/chat/completions endpoint
$ boxowl-daemon hermes use https://hermes.example.com/v1 --api-key sk-…
ok · saved · model: hermes-4-70b

Docker compose — extract and launch in one

Cold-start a vetted vLLM + boxowl-daemon stack. --launch runs docker compose up -d, polls the endpoint, and writes hermes.toml when it comes up.

# extract template + launch + write hermes.toml when healthy
$ boxowl-daemon hermes docker --launch --gpu 1 --model NousResearch/Hermes-4-70B-Q4
ok · compose at ./docker-compose.yml
ok · vLLM up at http://127.0.0.1:8000 · wrote ~/.boxowl/hermes.toml

Need the long version? Full Hermes walkthrough →

Pricing

Free or Premium — Hermes works either way.

Free includes three AI agent connections; Hermes (via any of the three modes above) takes one slot. That's the full local-inference path — vault stays on your device, model runs on your hardware, audit log local — at zero cost.

Premium lifts the connection cap to unlimited, runs your own external assistants (Claude, ChatGPT, Cursor, Gemini, …) alongside Hermes, and unlocks cloud-fallback inference for sessions where your hardware can't keep up. See full pricing →

Locality matrix

Honest about what runs where.

Tier A is fully local — the model itself runs on your hardware. Tier B is partially local — the model vendor sees your prompts, but the vault never leaves your device.

Tier A — fully local

Hermes via Ollama / vLLM / llama.cpp

Model inference runs on your hardware. No prompt ever leaves the box. Vault and audit log are already local. This is the only configuration we can claim "your AI agents run on your hardware" without qualifiers.

model · local
vault · local
audit · local

Tier B — partially local

Claude Code · Cursor · Gemini CLI · ChatGPT · …

Model vendor sees the prompts you send them — that's the trade for top-shelf model quality. The vault still stays on your device; BoxOwl never relays plaintext credentials. Per-tool scope, confirm-mode, and audit are unchanged.

model · vendor cloud
vault · local
audit · local

Migrate in five minutes

From 1Password, Bitwarden, LastPass, Chrome, or Safari.

Install BoxOwl + your favorite AI agent's BoxOwl skill — your assistant walks you through it. Five minutes later, you're done. Your AI never saw your passwords; BoxOwl handled them directly via the daemon's scope-gated vault.passwords:bulk_import tool.

One skill per source: migrate-from-1password, migrate-from-bitwarden, migrate-from-lastpass, migrate-from-chrome, migrate-from-safari. Per-host walkthroughs →

What's coming

Trust-boundary slice at launch. Broader framework after.

The trust-boundary slice of PAFRAME ships at launch — signed skill registry, vault-event triggers via MCP subscription, push and cloud-mediated email channels for skills that need to reach outside Hermes Agent. The broader framework (skills runtime, deeper outbound channels, cron-wrapper for non-Hermes-Agent users) is post-launch.

Designed to fold into the existing agentskills.io community catalog so seed skills travel through ecosystem rails, not a walled garden.

How it compares

Vault-shaped trust boundary. Uncontested in this category.

No surveyed vendor targets the user as data subject with an agent-aware vault. The closest cousins are developer-facing.

Capability	BoxOwl	1Password	Bitwarden Secrets Mgr	Composio	Custom MCP
MCP server out of the box	✓	—	—	via SDK	DIY
Per-tool scope grants	✓	—	team-only	tool-level	DIY
Confirmation gating by risk tier	✓	—	—	—	DIY
Per-agent audit log on device	✓	—	cloud-only	cloud-only	DIY
Login redeem — agent never sees plaintext	✓	—	—	—	—
Structured personal data + per-field consent	✓	—	—	—	—
Open-source daemon + SDKs (Apache 2.0)	✓	—	server OSS	SDK OSS	DIY
Local-first vault	✓	cloud-first	cloud-first	cloud-first	depends

✓ shipped · — not offered · "DIY" means the surface exists if you build it yourself · "team-only" / "cloud-only" refers to the vendor's tier where the capability is exposed. Composio and Custom MCP are developer-facing; BoxOwl is the only consumer-facing option in this row.

The substrate, in four lines.

The architecture behind every Pillar 3 capability.

End-to-end encrypted

Vault items are encrypted at rest with a key only you can derive. The daemon decrypts in-process to satisfy a scoped read; nothing else.

Open audit log

Every read, write, denied call recorded with actor + tool + scope + result. Exportable as a signed Open Audit receipt under CC0.

Scope grammar

One scope per tool, per category, per field. Registered at handler level; the gateway dispatches through it. Adding a tool is registering a scope, not editing a controller.

Confirm-mode matrix

Risk tier × user-set confirm preference. Low + always_confirm = pause; high + never_confirm = pause anyway. The daemon enforces; the agent doesn't get to choose.

Daemon source under Apache 2.0 at /docs, or in the public repo at github.com/BoxOwl-Me/daemon.

Pillar 3 itself is free.

Daemon, MCP server, skill catalog, audit log — all open and free. Premium unlocks Pillar 1 + 2 features (Travel Mode, attachments, NightWatch, family vaults). Free · $3/mo Premium · $24/yr annual · Family from $6/mo.

See pricing

Bring your agents to your vault.

BoxOwl is in private beta. Install the daemon, pick your agent host, grant a few scopes — and watch the audit log fill up with calls you authorized.

Get BoxOwl Read the per-host walkthroughs