Lumirain
Download
← Research
system-card

Interaction System Card

Interaction System Card
Lumirain

If you're going to hand work to an AI coworker that acts, you have a right to know how it will — and won't — operate. This System Card sets out Interaction's capabilities and limits, how it runs and stays isolated, and its stance on permissions and privacy.

This document describes design intent and the current implementation. Specific capabilities depend on the version you run; for anything safety-related we describe only what is already in place, not what is planned. We update this card as capabilities grow.

1 · What it is

Interaction is an AI coworker that does the work, on macOS and iOS. It has two modes:

  • Chat — instant questions and discussion. Ask and think out loud.
  • Task — hand off something that takes several steps, and it researches, acts, and corrects itself on your device, then hands the result back. E.g. "Pull this week's emails that still need a reply into a list, sorted by urgency."

The two flow together: think it through, then hand it off; you can also step in mid-task to adjust.

2 · Capabilities

Within the scope you grant, Interaction can:

  • Break down a goal into an executable multi-step plan.
  • Act on your machine — run commands, read and write files, operate app interfaces (Computer Use): it actually clicks, edits, and saves.
  • Go online when needed — gather information and synthesize a usable result.
  • Correct itself — catch its own mid-task mistakes and redo them, rather than delivering something half-done.
  • Choose across models — pick the right underlying model per sub-task, transparently to you.

What it delivers is something you can review and use with light edits — a list, summary, report, table, draft, or small tool — not just advice.

3 · How it runs and stays isolated

Interaction deliberately does the work as close to you as possible:

  • Tasks run on your device, using your local files and apps, rather than uploading everything to a remote service to process.
  • The parts that run commands or take action happen in a controlled local sandbox, isolated from the rest of your system, so the blast radius of any single action stays small.
  • Outbound access goes through a narrow egress rather than arbitrary direct connections — what it can reach is controlled and auditable, not open by default.
Engineering note: the exact shape of host-side execution + sandbox isolation + egress control evolves by version; we keep the wording conservative and don't over-promise details that aren't yet stable.

4 · Permissions and the trust model

We don't ask for broad permissions before you've seen it work.

  • Trust grows: start with small things, earn the bigger ones.
  • Important or irreversible actions go through you: deleting, sending, publishing, and paying don't happen without your knowledge.
  • The process is visible and traceable: what it did, which files it changed, and why — you can always see.
  • Autonomy within bounds: inside the scope you set it makes its own calls to avoid interrupting you; outside it, it stops and asks.

5 · Data and privacy

  • Local-first: the files and context a task touches stay on your device wherever possible.
  • Minimal egress: only what's necessary to finish the task leaves the device, and through the narrow egress.
  • Explainable destinations: when the web or a model is involved, where data goes and why is, by design, something we can account for.
The specific data flows, retention, and third-party model boundaries follow the privacy policy and the current implementation.

6 · Limits and boundaries

Use it with the right expectations:

  • It is not always right. Like any coworker it will sometimes misjudge; high-risk, irreversible decisions should be confirmed by you.
  • It doesn't carry the final responsibility for you. It delivers results; the important decisions stay in your hands.
  • Its abilities depend on the permissions you grant and the environment it's in: give it less, and it can do less — a deliberate safety tradeoff.
  • It is not an AI companion: its goal is to get work done, not to keep you company.

7 · Our safety stance

Putting "acts on its own" and "can be trusted" in one product is the hardest — and most important — thing to get right in this category. Our tradeoffs always lean toward: we'd rather it can do less at first, as long as you can see exactly what it's doing at every step. Sandbox isolation, narrow egress, confirmation on important actions, a traceable process — these aren't switches bolted on afterward; they're the foundation. When we introduce stronger autonomy, we describe the constraints that come with it in the same breath.