Resources
Unattended does not mean unguarded.
Loom runs six autonomous coding sessions on your machine, so its safety model is structural, not aspirational. This page explains the boundaries and how to run responsibly when nobody is watching.
The boundaries
Limits that hold regardless of what a model decides.
Each of these is enforced by the app itself. None of them depends on a session behaving well.
Auto-accept, narrowly
When auto-accept answers a Claude Code permission prompt, it presses only the safe affirmative. Nothing else. It is a visible toggle, and shift+tab cycles a single terminal's permission mode when you want one session under manual control while the rest run. See permissions.
The deny-list
Known secret paths are blocked on reads and writes alike. A session can neither leak a credential nor overwrite one, and your provider keys live in the OS keychain only.
Workspace authorization
Every file, git, and shell operation is checked against the registry of workspaces you have authorized. Outside that boundary, the operation does not run. See workspaces.
Review before push
The Conductor verifies work before it counts toward a mission. Treat that as a quality gate, not a release gate. Verification tells you a task did what it claimed; it does not replace your own judgment about what should leave your machine. The built-in source control panel gives you a full git graph and hunk-by-hunk AI diffs for exactly this purpose: read what the fleet wrote, hunk by hunk, before you push it anywhere.
Overnight missions, responsibly
Loom is built to keep working while you sleep. The Conductor watches every terminal, recovers rate limits and stalls, and rotates pooled Claude accounts when one hits a usage limit, so a mission does not need you at 3 a.m. What it does need is a sensible setup before you walk away:
- Authorize only the workspaces the mission actually needs. The authorization registry is your blast radius; keep it small.
- Write the brief precisely. Verification can only hold the fleet to what you said done looks like.
- Leave auto-accept on with the understanding of what it is: a hand that presses only the safe affirmative, never anything broader. If a session needs looser permissions, set that one terminal deliberately with shift+tab rather than loosening everything.
- In the morning, read the mission DAG and the activity strips first, then the diffs. Push only what you have reviewed.
The same honesty applies in reverse: autonomy on your machine is real autonomy. Sessions edit files and run commands inside the workspaces you authorize. If a repository is not something you would hand to a capable but unsupervised contractor, do not authorize it for an unattended run. For the full picture of how the guardrails are built, including the SSRF-guarded Rust proxy and the no-telemetry stance, see the security page and the overnight runs guide.
Hand it the work.
Walk away.
macOS, Linux, and Windows. Around 13 MB. Free and open source.