Agents, tools & grants
Connectors catalog
A connector is one integration an agent can reach, and every connector maps to exactly one grant you turn on per agent.
The filesystem tools read folders you point an agent at. A connector reads something else: a personal store on your Mac, a workspace account, a database. Each one is a thin reader, scoped to one grant, off until you flip it. This page maps each connector to its grant. For the rule those grants obey, read the grant model first; the catalog rides on top of it.
Three kinds of gate
Where the data lives decides what stands between an agent and a connector. There are three answers, and a connector belongs to exactly one.
- A macOS Privacy pane
- The native stores already on your Mac. Calendar, Reminders, Notes, Contacts, Messages, and Mail read their local databases directly, so macOS gates them under a Privacy category (Calendars, Reminders, Full Disk Access). The agent grant is a per-agent toggle; the OS prompt is the second lock, and you grant Conifer once in System Settings.
- A network token
- Slack and the connector pack reach an account over the network. The gate is a token you paste once: a bot token, a fine-grained access token, a database JWT. The value crosses one boundary into the keychain and is never handed to the model. Nothing local is being read, so there is no Privacy pane to grant.
- A keyring credential, through the CLI
- The business and developer connectors run today through
conifer connect: a data-only manifest driven across the same egress firewall as everything else. The credential lives in your keyring under a named key; the manifest resolves it at call time and never sees the secret in plain text.
Native stores on your Mac
These read what is already on the machine and sync it nowhere. Every one is read only by design. An agent summarizes your day from the calendar but cannot create, edit, or delete an event; it recalls a note but never writes one. Messages and Mail go through Full Disk Access because they read their local stores directly, the same path Notes and Contacts use.
| Connector | What the agent can do | Grant / gate |
|---|---|---|
| Calendar | Read events, read only. | Connect Calendar · Calendars |
| Reminders | Read your lists, read only. | Connect Reminders · Reminders |
| Notes | Read every folder and note, read only. | Connect Notes · Full Disk Access |
| Contacts | Read your address book, read only. | Connect Contacts · Full Disk Access |
| Messages | Read the local store, read only. | Connect Messages · Full Disk Access |
| Read the mailboxes on your Mac, read only; never sends. | Connect Mail · Full Disk Access | |
| Speech | Speak a short answer aloud through the system voice. | Speak answers (no store, no pane) |
Speech is the one output connector and the one that touches no personal data: it reads nothing and needs no Privacy pane.
Network accounts
Take Slack. Connecting it per agent grants read access to the channels you pick and nothing else: the bot has to be in a channel to read it. Writing is a separate grant, and a stricter one. Posts and reactions are staged, not sent. The agent drafts a message but never puts it on the wire until you confirm, so a silent post has no path.
The connector pack
Twenty business and developer integrations run through the CLI connector layer: GitHub, GitLab, Linear, Sentry, Postgres, Supabase, Cloudflare, Jira, Asana, Discord, Notion, Obsidian, Stripe, and more. Each is a small manifest that declares its operations and the one keyring credential it needs. The desktop shows them with the exact command to run, not a toggle that pretends a per-agent wire is already there.
conifer auth set github.token
conifer connect github prs --repo owner/nameThe manifests lean read first. GitHub reads repos and issues, and its one write operation opens an issue with a title and body you approve; it never edits or closes anything. Postgres queries your own tables through a local PostgREST instance on 127.0.0.1, and its write operation inserts a row, never an update or a delete. Local and read-leaning connectors come before the token-holding write surfaces, the same least-authority instinct the grant model uses.
One connector, one grant
One invariant holds across all three kinds. Turning on a connector grants exactly one capability to exactly one agent, and the grant is the narrowest thing that makes it work. A read connector cannot write. A write connector stages and confirms. A second agent pointed at the same model starts from zero again; grants do not leak between agents. The connector is the data; the grant is the permission; the two are never bundled.
Whatever a connector returns is untrusted output: a message, an issue body, or a calendar entry is data the agent reads, not instruction it obeys, so text planted in a record cannot redirect the turn. When the catalog has no connector for what you need, add a custom tool and scope it with a grant the same way. Every connector is local read or gated egress, so the boundary holds: see the local-first guarantee for exactly what does and does not leave the machine.