Tens of thousands of instances of a popular agentic AI platform sit exposed on the public internet. Hundreds of advisories have been written against it in the months since launch, and its skill marketplace carries roughly one in five entries that are malware. The architectural fault is ambient credential authority in a single process with no audit log.
Ambient authority
The pattern is familiar. One process holds every credential you handed it. The LLM driving that process can call any tool it has been wired to. OAuth scopes were designed for a human at a keyboard, so they are too coarse to constrain an agent operating at machine speed across the full set of scopes you granted. When that process is compromised, or when the model is talked into something you did not intend, the blast radius is everything you can do on the systems those tokens reach.
Per-process credential sprawl is the symptom. A single node process holding the keys to your mail, your chat, your files, and your source control is the failure mode.
Treating it as a configuration problem inside that same process produces a more configurable single point of failure, not a smaller one.
What we built instead
We built wirken so you can break your agent's authority into pieces and audit what it does with each piece. Four mechanisms carry the design.
A typed Rust action enum names every gateable action. The dispatcher matches on the enum at every tool call, the match is total, and the compiler enforces totality, so a gateable action that nobody classified fails to build. A model that emits {"tool": "shell", "command": "rm -rf /"} resolves to Action::ShellExec, which is Tier 3, which prompts you before it runs. The policy decision lives in Rust before the JSON the model produced reaches the tool.
Each channel adapter runs as its own OS process with its own Ed25519 identity. Platform credentials for one chat surface never sit in the same memory as another. The IPC crate's type system makes cross-channel handle conversions a compile error, and the switchboard runs an AuthenticatedChannel check on every inbound frame. A compromise of the Telegram adapter compromises Telegram, not Slack, and not your vault.
Credentials sit in an XChaCha20-Poly1305 vault keyed from your operating system's keychain. Decrypted secrets are wrapped in SecretString, which does not implement Display, Debug, Serialize, or Clone, and memory is zeroed on drop. A stray println!("token: {token}") fails to compile, not at runtime, so a careless debug line cannot accidentally serialize your API key into a log file.
Every session writes a SHA-256 hash-chained event log. The chain head is signed with the agent's Ed25519 key. wirken session verify replays the log offline and re-checks message hashes, deterministic tool results, chain integrity, and the signature on the head. "What did my agent do in this session?" has an answer you can verify after the fact, not a transcript you have to trust.
What this project deliberately does not do
We do not put the LLM in the gating path. The Action enum is type-checked Rust. A model that mistranslates English into JSON cannot silently degrade your security posture, because the policy decision is made in Rust before the JSON reaches the tool. Adding a new gateable action requires the Rust compiler to flag every match site. The model proposes; the dispatcher decides; the audit log records.
We do not host workflows in the switchboard. Workflows belong in skills. A skill can implement multi-agent shapes internally, including planner-executor splits, voting, and self-critique. The switchboard routes; the routed surface is the skill. Hosting an FSM in the switchboard would widen the trusted base for every workflow that anyone anywhere wants to run, and the trusted base is exactly what wirken keeps small.
The name
The original Gebrüder Ottenheimer was a cotton and linen weaving mill in Württemberg, founded in 1862 by Salomon and Joseph Ottenheimer. The mill wove isolated threads into a usable fabric. This project does the same with isolated communication channels. The rest of that history, including the forced sale in 1937 and what the name commits the project to remember, sits at the historical brief.
Your agents or operators will hold the credentials this decade. We built wirken so that stays your choice, with enough evidence in the audit log to answer for it after the fact.