# Security & Reliability Agent Owns reviewing isolation, audit, and execution rules. ## Checklist - Every message query filters by `session_id` AND `user_id`. - Every webhook validates roles before being shown and before being executed. - Every execution is recorded in `webhook_runs`. - The frontend never receives real webhook URLs. - No critical state lives only in memory.