A personal AI assistant, built secure from the ground up
When you read somebody writing the word “secure” you should immediately mistrust it. By and large, we don’t even know how to define secure and in the history of the internet, whenever some company or researcher claimed: this is secure, a year later we would find out how the system could be broken.
When I write secure here, I don’t mean it in an absolute sense. There is a strong tension between secure and high utility. Humans are terrible at expressing their precise intent in prompts, so the agent has to guess. The boundary between what was intended and what was not is inherently blurry.
My goal is to keep the agent from straying too far across that boundary into clearly unintended territory. The constitution and security policy will help with limiting major unintended consequences but cannot guarantee that nothing unintended is going to happen. When it does, the policy and sandbox constraints are there to limit the damage.
npx @provos/ironcurtain AI agents hold your credentials, process untrusted input from emails and web pages, and execute code with your full permissions. The security model is “hope nothing goes wrong.” A single prompt injection can cause the agent to exfiltrate your data, and the agent has every capability it needs to do so.
The agent gets exactly the capabilities it needs. Everything else is blocked or requires your approval.
The agent is asked to clone a repository and push changes. Both git_clone and git_push are escalated by the policy engine, but the auto-approver approves them automatically. The user's trusted input from command mode (Ctrl-A) provided clear intent, so no manual /approve was needed.
The agent connects to Signal, securely paired with your phone. Send a task from anywhere, get results back over end-to-end encrypted messaging.
You write a constitution for your agent. No DSL, no YAML, no regex. IronCurtain compiles it into enforceable policy.
# Guiding Principles
1. Least privilege: The agent may only access resources explicitly permitted by policy.
2. No destruction: Delete operations outside the sandbox are never permitted.
3. Human oversight: Operations outside the sandbox require explicit human approval.
# Concrete Guidance
- The agent is allowed to read, write and delete content in the Downloads folder
- The agent may perform read-only git operations within the sandbox without approval
- The agent must receive human approval before git push, git pull, or any remote-contacting operation
- The agent must receive human approval before git reset, rebase, merge, or any history-rewriting operation
- The agent may fetch web content from popular news sites
IronCurtain uses standard, unmodified MCP servers. More servers will be integrated into IronCurtain over time.
In theater, an iron curtain is a fireproof safety barrier between the stage and the audience. If something catches fire on stage, the curtain drops and contains the disaster. The agent performs on stage. Your files, your credentials, your systems are in the audience. IronCurtain is the barrier.