Security
PB is built for safe defaults: local-first runtime, explicit invoke, approvals for risky actions, and hard server-side blocks for social execution.
Core model
- Local-first: PB uses Text Generation WebUI at 127.0.0.1:5000.
- No hidden execution: WebChat proposes, user clicks Invoke.
- Block-by-default tools with per-risk policy controls.
- Unified approvals: tool runs and MCP lifecycle actions share one queue.
- Canvas stores outputs only and never executes actions.
Telegram and Slack policy
- Telegram and Slack are chat/inbox/notifications only.
- Tool and MCP execution from social channels is hard-blocked server-side.
- Telegram unknown users are silently ignored unless allowlisted.