Ashe is Nimbus8's agent runtime. It runs little scheduled workflows — "hands" — that call tools, models, and APIs on a tick. The first design decision we made: no hand can do anything destructive without asking. Not once per session. Not once per hand. Every single call.
The anti-pattern we were trying to dodge
You've seen this movie. A user installs an LLM-powered agent. The agent, three tool calls deep into a confident loop, decides the right way to clean up the Downloads folder is rm -rf. Twenty minutes later the user is on a forum asking if there's an undo button. There isn't.
The fix in most products is to add a blocklist. The fix in Ashe is to invert the defaults: nothing is allowed unless it was explicitly allowed, in this context, for this run.
Capability tokens, not roles
Every tool Ashe exposes carries a capability token: a typed descriptor of what it would do (read file at path X, write to path Y, POST to URL Z, send an iMessage, etc.). When a hand tick fires, the agent model proposes a sequence of tool calls. Ashe walks the sequence, and for any call whose capability token isn't already in the "allowed for this run" set, it pauses the hand and shows you a confirmation sheet with the exact call that's about to happen.
You can approve it for this call, for this run, or for all runs of this hand. Granularity is deliberate. "Approve once" is the default. You have to consciously opt into a broader scope, and you can revoke any saved scope from Settings > Ashe > Trust.
What counts as destructive
Anything that writes. Anything that sends. Anything that touches the network in a non-idempotent way. Anything that modifies system state — calendar, reminders, photos, files. Reads are not destructive (but they still require file-level permission, because reading is how exfiltration starts).
We err on the side of asking. The worst outcome in agent UX is the one where you didn't consent and something happened anyway. The second worst is asking too often — we accept that cost consciously.
The activity feed is the receipt
Every tool call, model call, and hand tick lands in a live activity feed. You can scroll it at any time and see exactly what happened, in order, with timings. If a hand fails or is interrupted by a confirmation, the feed shows the partial sequence up to that point. Nothing is ever hidden from the feed. The feed is local-only; it's not uploaded anywhere.
The result
Hands in Ashe feel less like "AI does stuff for me in the background" and more like "a careful intern who asks before anything big." That's deliberate. You should be able to enable a hand on your own device and go to sleep knowing the worst it can do is wait for you.
Tagged Ashe · Published Apr 04, 2026 · Back to all posts