Waveguide

How it works

Waveguide is an agent runtime: an always-on system that runs an AI agent for your business, safely. Here’s the mental model, top to bottom.

Event-driven, not polling

Your agent doesn’t sit in a loop asking “anything new?” It wakes on signals:

  • a lead submits a form or replies to an email,
  • a connected platform pushes a webhook (new Meta lead, Stripe payment, calendar change),
  • a campaign metric crosses a threshold,
  • a scheduled digest time arrives (morning and evening on Starter, plus midday on Growth and Scale),
  • or you message it directly from Slack, Telegram, or the dashboard.

Each signal becomes exactly one session: the agent boots with the signal as context, does the work, reports, and goes back to sleep. One session runs at a time per tenant — the agent never trips over itself — and you can watch sessions live in the dashboard.

The sandbox

Each business gets its own isolated micro-VM (a Firecracker sandbox) with a persistent workspace volume. Inside it, the agent works the way a capable engineer would: it writes and runs code, uses skills (structured playbooks for campaign ops, lead triage, creative generation), and keeps notes in its workspace between sessions.

The sandbox’s network is default-deny. The only way out is the egress proxy.

The egress proxy

Every call to an external service — Gmail, Meta, Stripe, even the AI model itself — exits through a single proxy that:

  1. checks the session’s capability grant (what providers, what scopes, what risk ceiling),
  2. injects credentials from the vault after the request leaves the sandbox — the model composes requests but never sees a token,
  3. classifies the action’s risk tier and blocks T2/T3 actions that lack a signed approval token,
  4. logs everything to the audit trail.

This is why prompt injection is contained: even a fully compromised model can’t exfiltrate credentials it never had, and can’t execute an irreversible action without a token only you can create.

Sessions, approvals, and the pause

When the agent hits an action above its autonomy level, the session parks: the sandbox suspends (you’re not paying for idle compute), an approval card goes to your channels, and a 15-minute timer starts. Approve, and the session resumes exactly where it left off, with a single-use token authorizing that specific action. Deny or let it expire, and the agent notes it and moves on.

Wavetable: the loop ledger

Everything meaningful the agent learns or does is recorded in wavetable, a per-tenant structured ledger: leads, creative assets, campaigns, events, and the attribution links between them. It’s what makes the morning brief coherent (“this lead came from that ad, which used this creative”) and what makes your data exportable as structure, not just logs.

Budgets

Model usage is metered per token, priced to the cent, and rolled up nightly. Your plan includes a monthly model budget; Budgets & billing covers the 80/100/120% guardrails. The agent also routes work by cost — light scheduled work runs on a fast, cheap model; complex interactive work gets the strong one.

What runs where

LayerTechnology
Control plane, API, dashboardCloudflare Workers
Agent sandboxesFly.io Firecracker micro-VMs
ModelsAnthropic Claude (Haiku / Sonnet / Opus)
Loop ledgerPer-tenant SQLite (Durable Objects)
BillingStripe

For the security details of each layer, read Security.