Commander runs autonomous agents on hardware we control — and the second you give an agent shell access, the security floor stops being a checkbox and becomes the product. Wave 1 of the founder revamp landed today: an encrypted secret vault, an append-only audit log, and a risk classifier in front of every tool call. All deployed, all behind founder-only auth, all green.
Project-scoped secrets — API keys, OAuth tokens, deploy credentials — are encrypted at rest with a master key that never leaves the box. Listing them returns names only; raw values are never readable back through the API once stored. The agent loads decrypted material into process memory at run-time only, and the privileged surface sits behind the same authentication gate every other internal endpoint uses.
Every meaningful event — vault access, tool invocation, plan submission, approval, denial — writes a line to a per-project append-only ring. The ring is bounded but never overwritten in place: rotation cuts a new ring and timestamps the old one. The point isn't compliance theatre. It's that when an agent does something surprising, you can read exactly what happened, in order, without trusting the agent to tell you.
An autonomous agent without an audit log is a black box that touched your production. We don't ship those.
Every tool call is classified against an existing taxonomy — read / write / network / shell / approval-required — and the agent loop is gated accordingly. Read-only calls pass straight through. Anything that mutates real-world state hits an approval gate that the founder console (and, eventually, the customer dashboard) can answer. The classifier is data, not code: adding a new tool is a taxonomy entry, not a new branch.
The remaining Wave-1 tasks are queued — the customer-facing handoff into the public Commander surface, the rest of the privileged route mounts, and the move from the current internal hostname to its locked operations target. Public launch still gates on the activation triggers from the Commander licensing decision; this is foundation work, not GA.