Waveguide

An agent you can trust with real accounts

Giving an AI agent access to your ad accounts, inbox, and payments only works if the dangerous failure modes are impossible — not discouraged, impossible. Waveguide's three invariants are enforced by architecture:

  • 1. The agent works by writing and running code — in a sandbox that can't reach anything except the guarded door.
  • 2. The model never holds a credential — tokens are injected by the proxy after the request leaves the model.
  • 3. Irreversible or financial actions require a human — a signed approval token the model cannot forge.
01

Sandboxed execution

Each tenant's agent runs in its own Firecracker micro-VM with default-deny networking. The only route out is the egress proxy. There is no path from your agent to another tenant, and no path to the open internet except through the guarded door.

02

The egress proxy

Every authenticated call to a third-party service exits through a single proxy that injects credentials after the request leaves the sandbox. The model composes the request; it never sees the token that authorizes it. Prompt injection can't steal what the model never holds.

03

The credential vault

OAuth tokens are envelope-encrypted: each tenant has its own data-encryption key, wrapped by a master key that only the control plane holds. Compromising one tenant's data can't unlock another's.

04

Risk tiers and approvals

Every action is classified T0–T3. T0 reads happen freely. T1 low-risk writes are logged. T2 external actions and T3 irreversible/financial actions require a signed, single-use approval token that only a human can mint — by clicking Approve. This is enforced in the proxy, not in the prompt.

05

Quarantined untrusted content

Email bodies, web pages, and webhook payloads are untrusted input. Before they can influence a risky action, a separate tool-less model extracts them into typed, tainted fields. Tainted data flowing into a risky action forces an approval — with a warning you can see.

06

Anomaly auto-pause

A burst of sends, off-hours side effects, or a spend spike auto-pauses the agent and revokes its capability token mid-flight. It stays paused until you explicitly resume it.

07

The kill switch

One button stops everything instantly: capability token revoked (in-flight calls fail closed), wakes paused, sandbox suspended. Resume is just as instant when you're ready.

08

Your data, your exit

Export bundles your workspace, structured data, and complete logs on demand. Delete permanently purges the workspace, vault, connections, and history, and destroys the machine. Both are self-serve, no support ticket needed.

The boring parts, done properly

  • Encryption: TLS in transit everywhere; AES-256-GCM envelope encryption at rest for credentials; per-tenant data keys.
  • Audit: every tool call, proxy request, approval, and kill event is logged with timestamps and retained (rolled to cold storage after 90 days).
  • Webhooks: all inbound webhooks are signature-verified and fail closed; unsigned or unknown senders are dropped.
  • Sessions: dashboard sign-in is via single-use email links; sessions are tenant-scoped and revocable in one click ("sign out everywhere").
  • Subprocessors: Cloudflare (control plane), Fly.io (sandboxes), Anthropic (models), Stripe (billing), Nango (OAuth broker), Postmark and Resend (email), plus feature-specific voice and social providers. The full list with roles and locations lives on the subprocessors page.
  • SOC 2: controls groundwork is in place and an audit is on our roadmap; ask us for the current state.

Want the deep technical version? Read Security in the docs, or email hello@waveguide.adwave.com with questions.