Governance is the architecture.
Rigs was designed for a world where software operates desktops. That forces a stricter model than classic VDI: scoped principals, expiring credentials, isolated sessions, and a complete audit trail.
Six layers, fail-closed.
Identity & sessions
Every request authenticates through Keystone Auth v4. Browser sessions are cookie-bound; programmatic access uses bearer tokens. IAM and entitlement checks resolve per request — fail-closed, never cached past their validity.
Tenant scoping
Rigs are visible only inside their org and project. The console, SDK, REST API, and MCP server all resolve the same tenant context — there is no unscoped view of the fleet, including for us.
Capability-level scopes
rigs:instances:read, rigs:instances:create, rigs:instances:control, and rigs:agent:invoke are independent OAuth scopes. Tokens carry the minimum capability for the job; destructive lifecycle actions require the control scope.
Short-lived credentials
Live-session credentials are minted on demand, scoped to one rig, and expire in minutes. They are never persisted server-side and never written to the rig filesystem.
Per-rig isolation
Each desktop session gets its own network and filesystem namespace on the sandbox runtime. macOS executes on sanctioned Apple hardware; Windows and Linux run on the L1fe-managed runtime. Stateless rigs leave nothing behind.
Audit & attribution
Provisions, lifecycle actions, credential mints, and agent invocations are attributed to a principal and metered through Garden. Agent calls route through POST /api/agent/invoke so automation is never anonymous.
Autonomy with a leash.
Letting agents drive desktops is the point of Rigs — and the reason its agent surface is the most constrained one.
Tool gating
Agent tools require rigs.agent.invoke plus the underlying instance permission — two checks, not one.
Principal separation
Agents act as their own principals. Their usage, actions, and credentials are attributed separately from the humans who configured them.
Blast-radius control
Concurrency quotas and capability scopes bound what any single agent can spin up or destroy.
Human takeover
A human can attach to any live session with minted credentials — observation is a feature, not a backdoor.
Found something?
Report suspected vulnerabilities through the contact form with the topic set to Security review. We acknowledge within one business day and keep you informed through remediation.