From 99b187fa5a0f7080fccadcc89841e11cd32c60a4 Mon Sep 17 00:00:00 2001
From: Dan <dleink@gmail.com>
Date: Fri, 9 Jan 2026 16:31:11 -0800
Subject: [PATCH] Document security model: simple Unix isolation

---
 docs/server-AGENTS.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/docs/server-AGENTS.md b/docs/server-AGENTS.md
index 5ccaac2..ea0e7f5 100644
--- a/docs/server-AGENTS.md
+++ b/docs/server-AGENTS.md
@@ -41,6 +41,19 @@ uv venv && source .venv/bin/activate
 uv pip install <package>
 ```
 
+## Emes Tools (tissue, jwz, idle)
+
+For now, install per-user (lands in `~/.local/bin`, already in PATH):
+
+```bash
+curl -fsSL https://evil-mind-evil-sword.github.io/releases/idle/install.sh | sh
+```
+
+Notes:
+- `idle` installs `tissue` and `jwz` (zawinski) plus `jq` if needed.
+- Use emes tools for agent workflow; this repo still uses beads (`bd`) for
+  infrastructure issue tracking.
+
 ## Resource Limits
 
 Per-user limits are enforced:
@@ -65,6 +78,16 @@ If you hit limits, your processes may be killed. Design accordingly.
 - No inbound ports (use SSH tunnels for local services)
 - Example tunnel: `ssh -L 8080:localhost:8080 dev-server`
 
+## Security Model
+
+Simple Unix isolation - no containers, VMs, or complex sandboxing:
+- Home directories are private (`chmod 700 ~`)
+- Per-user resource limits (memory, processes, network)
+- Watchdogs kill runaway processes
+- Shared tokens via group-readable files
+
+This is a learning environment, not a hostile multi-tenant system.
+
 ## Do NOT
 
 - Run `sudo` (you don't have access)