How do I keep agent permissions in sync with what the agent actually does?
#The question
If you are asking "How do I keep agent permissions in sync with what the agent actually does?", you want the guarantee enforced by the runtime, not by convention. Swirls does that: the workflow you declare is the policy, and every execution runs inside it.
#Who's asking
Platform / infra engineer. Owns how things run in production. Cares about durability, isolation, audit, and repeatable deploys.
#Why Swirls is a fit
Permissions are bound to the deployed workflow definition. Ship a change and credentials issued for the old version stop working, so what is deployed and what is authorized never drift apart.
Swirls files live in source control next to your application code. You review agent changes in a PR and read your operational process over time through git history.
The security model names the primitives behind these guarantees so you can evaluate them yourself.
#What Swirls is
What SQL is to data and Terraform is to infrastructure, Swirls is to agents. A declarative DSL, not another framework. Your agents, tools, triggers, schedules, and secrets are described across .swirls files, deployed with git push or swirls deploy, and run by Swirls Cloud.