Architecture

Creel enforces per-tool isolation — each executor runs in its own container with only the credentials it needs. The LLM never sees secrets. A compromised tool can't reach other tools' data.

ComponentHas access toDoes NOT have
Each executor Only its own credential (one OAuth scope, one API key) LLM, other tools' credentials
Bridge executors Scoped HTTP token for one macOS app LLM, other bridge endpoints
LLM Runner Anthropic API key only Any tool credentials
Orchestrator All secrets, LLM output Untrusted external input
Key insight: Even if prompt injection occurs (e.g., via a calendar event title), the LLM container has nothing to exfiltrate except its own API key. A compromised executor can only access its one scoped credential — not your email, not your files, not your messages.

System Diagram

Channels

Input from users

TUI / CLI · iMessage · Telegram · WhatsApp · Webhooks

Orchestrator

Scheduler, agent loop, prompt builder, output router

Guardian Pipeline

4-layer safety gate — every tool call passes through here

↓ approved

Docker Executors

Isolated containers

Google Suite · Notion · GitHub · Search · Shell · TTS · Dev Sessions

Host Bridge

macOS native access

Notes · Reminders · Things 3 · iMessage · Clipboard
↓ JSON results

LLM Container

Claude — has Anthropic API key only, no tool credentials

↓ response

Output

Routed back through channels to you

Guardian Pipeline

01

Fast Classifier

DeBERTa/ONNX model provides instant risk scoring on every input. Catches obvious prompt injection attempts in milliseconds.

02

LLM Judge

Claude Haiku performs a deeper contextual safety review. Catches subtle attacks that bypass pattern matching.

03

Policy Engine

YAML-defined rules enforce your explicit constraints. Allow, review, or deny tools by pattern. Block dangerous shell commands.

04

Coherence Check

Validates that the requested action matches the user's original intent. Detects drift between what was asked and what's being executed.

30+ Executors

Each executor is a self-contained package with its own Dockerfile. In production, every one runs in an isolated container with --read-only, --cap-drop=ALL, memory/CPU limits, and a 60-second timeout.

📅

Google Calendar

Read and write calendar events via OAuth

📧

Gmail

Read, send, and manage email with scoped access

📁

Google Drive

Read and write files in Drive

📄

Docs / Sheets / Slides

Full Google Workspace document access

💬

iMessage

Send and receive via BlueBubbles or bridge

📝

Apple Notes

Search, read, and create notes

Reminders & Things

Apple Reminders and Things 3 task management

📋

Clipboard

Read and write macOS clipboard via bridge

🔍

Brave Search

Web search via Brave Search API

🌐

Browser

Playwright-based web automation

🌤

Weather

Weather forecasts with no credentials

🔗

Fetch URL

Retrieve and parse web page content

📓

Notion

Read and write Notion pages and databases

🐙

GitHub

Issues, PRs, repos via GitHub CLI

⚙️

Shell Exec

Sandboxed command execution on mounted paths

🛠

Dev Session

Long-lived containerized dev environments

🖥

Host Exec

Run commands on the host via bridge

🔊

Text-to-Speech

ElevenLabs, OpenAI, or local TTS backends