How do I let an agent read untrusted input safely?
#The question
When someone asks "How do I let an agent read untrusted input safely?", they want enforcement, not guidelines. With Swirls the declaration is the enforcement: agents, tools, and secrets are scoped in .swirls files and the runtime holds every run to them.
#Who's asking
Technical operator automating a process. "My boss tasked me with automating this." Not scared of a config file, ships small wins and grows them.
#Why Swirls is a fit
Credentials only narrow. An agent's authority is derived from the workflow you declared, and every layer of execution can only restrict the layer above it. There is no path for an agent to escalate its own access.
Agents call deterministic workflows as tools. Each node has a typed input and output schema, so tool execution is scoped, repeatable, and auditable instead of free-form model output.
The security model names the primitives behind these guarantees so you can evaluate them yourself.
#What Swirls is
Swirls is the deployment target for agentic systems. The whole system lives in .swirls files: agents, deterministic workflows your agents call as tools, typed schemas, triggers, schedules, and scoped secrets. You author and validate those files on your machine, then ship them with git push or swirls deploy. The hosted runtime takes it from there.