Agents

Not assistants. Colleagues.

Every agent in Boxes has its own identity, scope, and signature. Each action is cryptographically signed, capability-bounded, and reviewable on a tamper-evident audit log. They draft. You sign.

boxes.sh / Agents · Registry
Agent registry
12 active · 4 on call · 0 quarantined
W3C DID · Ed25519 ACT scoped
AgentScopeStateHealthActions
outreach-agentMailDocs
did:oas:boxes:agent:o7r3-h2x9
send→approved only · spend ≤ $0
ON CALL
99%
142
figs-agentSheetsFiles
did:oas:boxes:agent:f1g5-r2c0
reconcile · flag · approve→human
WORKING
100%
412
recon-agentCalendarMail
did:oas:boxes:agent:r3c0-9a4n
reschedule ≤ 24h · no new events
IDLE
98%
38
deck-agentSlidesDocs
did:oas:boxes:agent:d3ck-pl4n
draft · verify charts · publish→human
ON CALL
100%
7
Identity
W3C DID
did:oas method · open spec.
Signed actions
100%
Ed25519, every action, every surface.
Audit retention
5 yrs
Hash-chained · tamper-evident.
Approvals before send
yes
Configurable per scope.
Identity

Every agent is signed. Every action is provable.

Each agent in Boxes carries a W3C DID — a cryptographic identity unique to your workspace. Every send, draft, edit, and approval is signed with Ed25519. The audit log is a tamper-evident hash chain. Every action is reviewable in five years.

  • W3C DID identity per agent (did:oas:...)
  • Ed25519-signed actions on every surface
  • Tamper-evident hash-chain audit log
  • Standard OpenAgent Specification (OAS) — open and portable
outreach-agent · draft
outreach-agentdrafted · 8 minutes ago
did:oas:boxes:agent:o7r3-h2x9
signed · Ed25519
To: contracts@acme.com · Re: Q3 proposal
Thanks for the kind notes on the balanced variant. Attaching the redlined v3 with the requested term changes — net-45, mutual indemnity, and the data-residency rider you flagged. Happy to walk through it on Thursday at 4 PM if useful.
Confidence
92%
Win prob.
68%
Tone
Matches you
never trained on your content
Capabilities

Capability-scoped from day one.

No agent in Boxes has unbounded permissions. Each one carries an Agent Capability Token (ACT) that says exactly what it can do — which surfaces, which recipients, which amounts, which hours. Exceed the scope, the action is rejected before it leaves the agent.

  • Per-agent capability scopes (Arsenal ACT)
  • Spend limits, recipient allowlists, working-hour boundaries
  • Time-bounded delegation (24h, 7d, until revoked)
  • One-click revocation across every surface
Agent Capability Token · outreach-agent
Capability scopeactive
Surfaces
Mail · Docs
cannot read Files / Slides
Recipients
*@acme.com · *@l1fe.ai
allowlist · 2 patterns
Send action
Draft only — human signs
no autonomous send
Spend cap
$0 · no payments authorized
use arsenal-broker for payments
Working hrs
Mon–Fri · 07:00–20:00 JST
silent outside hours
Validity
Until 2026-06-30 · 47 days remain
auto-revoke at expiry
signed by you · cosigned by workspace owner
Transparency

You see what they did, before and after.

Every agent action surfaces a confidence score, a human-readable rationale, and a one-keystroke approval. Drafts are visible before they're sent. Reconciliations are visible before they're posted. The audit log is queryable by anyone with read access.

  • Confidence scores on every agent draft
  • Plain-English rationale per action
  • Pre-action approval gates (configurable per scope)
  • Audit log queryable by humans and auditors alike
figs-agent · reconciliation receipt
October ledger · reconciled
412 rows · 02:14 → 02:31 JST · 17m 02s
0 errors
Matched
409
Flagged
3
Disputed
0
Stripe · 412 charges · cross-ref to bank statements · ✓
Plaid · 18 ACH transfers · cross-ref to invoices · ✓
Wise · 6 FX events · revalued against close rates · ✓
3 rows flagged — INV-2024-1183 (Northbank GmbH) past due 22 days
sig 0x5e09…91b7
By keyboard

Agent control keys.

Summon any agent · run a taskthenK
Approve current draftthenthenA
Reject and return to agentthenthenR
Open audit log for current agentthenthenL
Open scope editor for current agentthenthenS
Quarantine agent · suspend all actionsthenthenQ
Show all on-call agentsthenthen/
Show all shortcuts?
Three days into Boxes we had nine agents working under our org. Every action is signed. Compliance does not just trust us — they audit us.
Daniel Cole · CIO, Northbank GmbH
Built-in

A workspace built around agent accountability.

What the agent era should have looked like from the start.

Cryptographic identity

Every agent has a W3C DID. Every action is Ed25519-signed.

Capability-scoped

ACTs bound every agent by surface, recipient, spend, and time.

Tamper-evident audit

Hash-chained log. Provable. Replayable. Five-year retention.

Pre-action visibility

Every draft visible before it sends. Approve or reject in one keystroke.

Live wire

Realtime stream of every agent action across your workspace.

MCP-native

First-class Model Context Protocol support. Bring any MCP tool.

BYO model

Use OpenAI, Anthropic, your own. Per-workspace model routing.

Open spec

Built on the OpenAgent Spec. Portable. Standardised. Auditable.

Onboard your first agent in 90 seconds.

Free for solo. 14 days free for teams. Every agent capability-scoped from day one.