Safety
OS-tool approval, PII blocking, GitHub/Gmail/GDrive/Calendar controls, intent-based authorization, risk scoring, CEL, prompt policy, and sandbox enforcement.
Contextual policies, cost controls, risk escalation, and the Omnibox OS sandbox.
documented
Omnigent’s policy engine is the part that makes the meta-harness idea operational. Policies intercept actions such as tool calls, LLM requests, and file operations, then return ALLOW, ASK, DENY, or no opinion. Source: policy overview.
Most tool allowlists are static. Omnigent policies maintain state across the session: cumulative cost, tool-call history, data classification labels, and custom policy state. That enables spend caps, rate limits, risk scoring, model routing, and approval gates that get stricter as context changes. Sources: policy overview, Databricks contextual policies blog.
OS-tool approval, PII blocking, GitHub/Gmail/GDrive/Calendar controls, intent-based authorization, risk scoring, CEL, prompt policy, and sandbox enforcement.
Per-session budgets, per-user daily budgets, task-switch detection, and routing trivial work away from expensive models.
Source: built-in policies.
Omnibox restricts filesystem, network, and environment access. Linux uses Bubblewrap namespaces plus seccomp. macOS uses Seatbelt / sandbox-exec. If a sandbox is requested and unavailable, Omnigent errors rather than silently running unsandboxed. Source: OS sandbox config.
The OS sandbox applies to sys_os_* tool calls and declared terminals that reference the policy. The docs say it does not automatically sandbox MCP server subprocesses or the Omnigent supervisor process. Source: OS sandbox config.