// the missing permission layer for agents

Fine-grained tool access
for your AI agents.

BuddyStack hands your agents short-lived, scoped tokens — not your passwords. Restrict GitHub to one repo, Gmail to one sender, Slack to one channel. Every call is proxied, authorized, and logged.

~/projects/acme-api — bash
$
Join the waitlist See how it works ↓
// what's in the box

Six things BuddyStack does that nothing else does together.

01
Resource-specific RBAC
Beyond account-level scopes. Restrict an action to repo=acme/api, channel=#oncall, or sender=*@customer.com — per role, per agent.
02
No long-lived credentials in agent memory
Agents only ever see 1-hour role session tokens. Your OAuth tokens and API keys stay encrypted in the Hub.
03
One CLI for every tool
Discover apps, list actions, inspect schemas, invoke. Same interface across GitHub, Slack, Gmail, Linear, Jira, Sentry — no bespoke integrations.
04
Events without a public IP
The Hub receives webhooks and pushes them down a WebSocket to your daemon. Trigger agents from real-world events without exposing a port.
05
Workflows in plain English
Skip the node-and-graph builders. Describe what you want; the agent composes the authorized tools at runtime.
06
Every call audited
Action logs and trigger logs record what fired, what was authorized, what was denied — written by the same pipeline that enforces the rules.
// security model

The Lethal Trifecta, made visible.

Agent risk isn't just "can it do bad things." It's the combination of access, untrusted input, and external reach. BuddyStack tags every app, action, and role — and warns you the moment a role completes the chain.

Private data
Confidentiality
Untrusted input
Prompt injection
External output
Exfiltration
⚠ critical
all three combined
⚠ Lethal Trifecta detected
role: support-bot
Reads
gmail.email.read · slack.message.read
Personal Public
Writes
slack.message.post
Public
Reads private data and can publish to a public channel — exfiltration path is open.
Save anyway Tighten conditions
// permissions

One role. One purpose. One blast radius.

Bundle a handful of conditioned actions into a Role, and that's all the agent will ever be able to do — even if the prompt tries something else.

role: reviewer
Personal read write
GitHub
pull_request.comment
repo = acme/api
Gmail
email.read
from = *@customer.com
Slack
message.post
channel = #oncall
Linear
issue.update
team = API only
Gmail
email.read
from = personal
Slack
message.post
channel = #general
// runtime

Event in. Audited action out.

Every action your agent takes goes through the Hub — authenticated, authorized against its role, executed with your stored credentials, and written to the action log.

EVENT
External event
PR opened, email received, cron tick…
HUB
Hub
Authenticates · authorizes · proxies · logs
CLI
Your machine
Daemon mints a 1h role token. No public IP needed.
AGENT
Agent run
Claude / Codex spawned with token in env.
// the daemon

One YAML. Every trigger. Every cron.

Point each trigger or cron job at a command and a Role. The daemon subscribes over WebSocket, mints a fresh token on every event, and spawns your agent with it. You never touch role tokens by hand.

  • Fingerprint-unlocked keychain on the user side
  • Per-event ad-hoc role session tokens
  • buddystack run <role> -- <cmd> for one-shots
  • Discovery: list apps, list actions, describe schemas
# ~/.buddystack/config.yaml
triggers:
  - id: pr-opened-acme
    command: claude code "review the PR"
    role: reviewer
 
  - id: prod-error-spike
    command: claude code "investigate sentry alert"
    role: oncall
 
cron:
  - name: morning-digest
    pattern: "0 8 * * 1-5"
    command: claude code "summarize my inbox"
    role: triage
// the alternatives

Why not just give the agent your API key?

BuddyStack
Raw API keys
Workflow engines
Per-resource scopes (one repo, one sender, one channel)
Agent never sees your OAuth tokens or API keys
Triggers without a public IP
Workflows in natural language, not nodes & wires
Audit log of every authorized + denied call
Lethal-Trifecta warnings at role-creation time
// pre-launch

Get on the waitlist.

We're rolling access out slowly. Drop your email and we'll send you a CLI build the moment your slot opens.

no spam · unsubscribe with a single click · we hate cold launches too