Containment, not trust
Scion, the container runtime, and every agent run inside one isolated machine with rootless podman and an egress allowlist. Host secrets and the LAN simply aren’t reachable; the broker stays host-side, outside the jail.
Lever seals your agents inside a jail with no path to your host, your secrets, or your network. A host-side broker then grants and gates every capability they get: which tools, which operations, which credentials.
Scion, the container runtime, and every agent run inside one isolated machine with rootless podman and an egress allowlist. Host secrets and the LAN simply aren’t reachable; the broker stays host-side, outside the jail.
By default the broker holds the real model key and injects it host-side; agents carry only a scoped, identity-bound, revocable capability token. A compromised agent leaks nothing reusable.
Each agent reaches MCP tools through a broker that enforces, per verified identity, which tools and operations it may use, with request constraints pinned at mint time.
Lever wraps Scion, Google’s container-based agent orchestrator, in a containment-and-credential boundary. Scion runs the agents; Lever keeps your real model key out of every container and seals the jail off from your host and LAN, so you can point autonomous coding agents at real work without handing them your secrets. Close egress to the broker alone when you want nothing else reachable.