Agent limits & safety
Session lifetime, credit usage, sandboxing, and privacy.
Updated · April 2026
The agent is powerful, which means it needs guardrails. This page explains them so there are no surprises.
Session lifetime#
Every agent chat is a session. Sessions have two limits:
- Idle timeout — 15 minutes. If you don't send a message for 15 minutes, the sandbox is torn down. You can reopen the chat to continue, but the session context is reset.
- Max lifetime — 6 hours. Even an actively-used session is hard- capped at 6 hours of total runtime. This exists to prevent runaway loops from consuming credits indefinitely.
Both limits are visible in the agent panel.
Credit usage#
The agent consumes credits based on what it actually does:
| Action | Rough credit cost |
|---|---|
| Short reply, no tool use | Fractional |
| Complex research with 5–10 web searches | 5–15 |
| Building a large list with many filter iterations | 10–30 |
| Multi-step workflow (search → list → summarize → upload) | 20–50 |
The agent shows you estimated cost before expensive operations and asks for confirmation. You can set per-session spending caps in the agent panel settings.
Sandboxing#
Each agent session runs in its own Kata Containers microVM with:
- No shared filesystem across sessions.
- No network access except through an egress proxy with a strict allowlist.
- Dropped capabilities, seccomp profile, non-root user inside the container.
- Per-sandbox API tokens minted at spawn — stealing a token from one sandbox gives you nothing against another.
In plain English: a prompt-injected session can't exfiltrate your data or reach other customers.
Data boundaries#
The agent can only see:
- Your organization's data — parcels, lists, projects, org settings you've exposed.
- Public data — the parcel dataset, community layers, public web.
- The current session's conversation history.
It cannot see:
- Billing details, credit card numbers, or Stripe data.
- Other organizations' data, ever.
- Previous sessions' conversations.
- Your account password or other auth secrets.
Privacy#
Conversations are stored against your organization for 90 days so you can refer back to them. After 90 days they're deleted. You can also delete a session manually at any time from the agent panel's history view.
Nothing you say to the agent is used to train models. Anthropic's API terms apply — see their privacy policy for the upstream detail.
When the agent says "I can't"#
Sometimes the agent will refuse to do something you expected it to be able to do. Common reasons:
- The action is out of scope — e.g., billing operations.
- The tool isn't available in the sandbox.
- The action would exceed the per-session cap.
- The agent isn't confident enough to act without checking in (this is working as intended — rerun with more specificity).
If the refusal seems wrong, rephrase and try again, or escalate to support.