Executors
Executors are isolated, stateless data fetchers that run with minimal credentials. Each executor performs a single function (read email, check weather, search the web) and returns JSON to the orchestrator. The LLM never sees executor credentials.
Security Model
| Executor | Credentials | What it can't access |
|---|---|---|
| weather | None | LLM, other credentials |
| gcal / gcal_write | Google OAuth token (scoped) | LLM, other credentials |
| gmail_readonly / gmail_send / gmail_modify | Google OAuth token (scoped) | LLM, other credentials |
| drive / drive_write | Google OAuth token (scoped) | LLM, other credentials |
| bluebubbles / imessage_bridge | BlueBubbles API / Bridge token | LLM, other credentials |
| apple_notes / apple_reminders / things | Bridge HTTP token (scoped) | LLM, other credentials |
| brave_search / fetch_url | Brave API key / None | LLM, other credentials |
| exec | Host filesystem (mounted paths only) | LLM, other credentials |
How Executors Run
- Development: Executors run as subprocesses with secrets injected as environment variables
- Production: Each executor runs in its own Docker container with
--read-only,--cap-drop=ALL, memory/CPU limits, and a 60-second timeout
See Container Mode for production deployment details.
Executor Output
All executors output JSON to stdout. The orchestrator collects this output and injects it into the prompt template using {executor_name} placeholders.