Agents that ask before they act.
An AI agent is a program that can touch your data, spend your money, and talk to the outside world on your behalf. Most agent products ask you to trust them with all three at once. GnamiAI is built on the opposite assumption: the agent has no capability it wasn't explicitly granted, every destructive move pauses for a signed approval, and the entire runtime lives in a browser tab you can close.
Pillar 1 — Granular permissions
Capabilities are scoped per role and per resource. Connecting a provider doesn't grant shell access. Installing a skill doesn't grant the network. Loading memory doesn't grant writes. The default is deny; each capability is an explicit, named grant.
Pillar 2 — Human-in-the-loop
Any action flagged destructive, irreversible, or side-effectful against a third party pauses the turn. The UI shows you exactly what the agent wants to do, in what context, against which account. You approve or reject. The agent does not proceed without an approval record tied to the turn.
Pillar 3 — A real dashboard, not a chat
Approvals, memory, budgets, skills, subagents, schedules — these aren't buried in a chat thread. They're their own pages. You can audit your agent without scrolling a transcript.
Pillar 4 — Signed skill registry
Skills are the way an agent learns new behavior. In GnamiAI they're plain-text SKILL.md files. Skills installed from an external URL are fetched server-side, content-classified to reject HTML and binary payloads, and NUL-byte-scrubbed before they're stored. The registry roadmap adds signature verification and a manual review gate before community skills can be distributed.
Pillar 5 — Zero-config memory
Conversational memory shouldn't require JSON surgery. GnamiAI connects
to Mem0 with one API key; facts you want the agent to remember long-term
get saved with /remember or via a structured agent action.
Memory is scoped to your account by default, or to an entity id you
provide if you want cross-tool continuity.
Pillar 6 — Multi-agent, capability-scoped
Specialized subagents hand tasks to each other with context slices, not full transcripts. A research subagent doesn't get your memory. A coding subagent doesn't get your skills registry. Capability scoping is the handoff contract, not a suggestion.
Where this goes next
The current hosted build runs entirely in the browser. There is no shell, no file-system mount, no background daemon. That constraint is load-bearing: capabilities that don't exist can't be toggled on by a jailbreak prompt.