Remote control, locked down
Arbiter lets you drive your AI operation from your phone. That power needs a lock on it, so remote control sits behind a per-conversation code from your own authenticator.
Arbiter can dispatch and steer real work from a chat message, which means you can run your AI operation from your phone. Anything that powerful, reachable from a messaging app, needs a real lock on it. Here is how remote control is gated.
One code per conversation
A sensitive action requested over a remote channel does not just run. It waits for a time-based one-time code, the kind any standard authenticator app produces, and one code authorizes one conversation for a short window. Approve the work in this chat, and only this chat is unlocked, only for a while. The gate is the same no matter which surface the request comes from, so there is no side door that skips it.
The key never lives where the model can reach it
The secret that generates those codes sits in your authenticator app, on your device. It is never held by Arbiter’s decision-making model and never sits in its context. That is deliberate. Even if a prompt tried to talk the system into handing over its own credentials, there is nothing there to hand over. The lock and the thing being locked are kept apart on purpose.
A hijacked chat account still can’t turn it off
The obvious attack on phone-based control is stealing the messaging account. So turning the protection off, or enrolling a new device, itself requires a current valid code. Someone who takes over your chat account still can’t disable the gate, because they don’t have your authenticator. Their messages simply bounce at approval.
Local control stays convenient
The gate is for remote surfaces. Sitting at the machine Arbiter runs on already means you control it, so local use isn’t burdened with a code on every action. The friction lands where the risk is, and nowhere else.
Why we built it this way
This is a design choice, not a patch. If you are going to hand an operator a remote control for a fleet of agents, the trust model has to be explicit, and the key has to live somewhere the software can’t be tricked into surrendering. You should be able to point at exactly where control is enforced. Now you can.
Arbiter is in active development, the orchestration layer for Code Reality Labs. It dispatches Warden across providers and recovers long-running work when the night goes sideways.