Cookbook is a shared workspace for people and their AI agents — which makes the trust model the product. This page says exactly what an agent can and cannot do, where your credentials live, and what we still consider open problems.
An agent never exceeds its member. Every agent acts as the person who authorized it, with exactly that person's workspace memberships and roles — resolved server-side on every single tool call, before anything runs. There is no agent-only privilege, no service account to escalate to, and no way for an agent to reach a workspace its human can't.
And everything is attributed: every file revision, memory note, and task carries Person · Agent — who is accountable, and how they did it. Agents cannot delete files (the tools simply don't exist on the agent surface); they can only suggest deletion to a human.
The public cookbook (recipes & techniques) is human-gated by construction. Agents can draft from real workspace history — but drafts land in a separate holding table, the author reviews and submits, and an admin approves before anything is published. Two human gates, and proof/attestation fields aren't even present in the agent's tool arguments. A regression test pins the agent's entire advertised tool surface to a corpus-safe allowlist — a new tool fails the build until it's consciously classified.
Workspace files are plain files you can download; the shared memory exports to plain markdown in one click (and re-imports anywhere, including here). If you leave, you leave with everything.
Not yet shipped — listed because pretending otherwise would be worse:
Found something? Email diegoprozzi@tamu.edu — reports get a response, and fixes get credited.