Share your models
You can let someone else use your providers — on their own computer, on their own files — while only the model call travels to your machine. Two very different shapes depending on the provider.
Two shapes of sharing
API models — pure remote inference
For API-key providers, nothing runs on your machine. Your friend works in their own workspace; when their agent needs a model, the request comes to you, your provider answers, and the tokens go back. Their files never touch your disk. This is clean and low-risk — you're just paying for their usage.
CLI models — sandboxed on your machine
A CLI agent has to run somewhere, and that's your machine. So your friend's project is copied into a temporary folder on your computer, the CLI works there, and the edits are sent back to them. Because someone else's agent is now running on your box, Koryphaios confines it in a sandbox — see below.
Connecting
The host picks which providers to share and gets a models-only invite link — it grants access to the models, not to the host's session or files. The client pastes that link (or a join code) and the shared models appear in their model picker labeled by host, mixed in with their own local ones. It all runs over Koryphaios's relay, so it works across the internet, not just a LAN.
Compliance — what's safe to share
Sharing your own API keys is fine — you're paying for the usage. Sharing a subscription (Claude, Copilot, a ChatGPT plan, etc.) is account-sharing that several providers' terms forbid and actively enforce. The share panel flags each provider accordingly: safe, caution, or “violates the provider's terms — use at your own risk,” and defaults subscription providers off.
The sandbox for shared CLIs
When a CLI runs on your machine for someone else, Koryphaios sandboxes it — fully configurable, with a sensible default that keeps the agent capable (network, web, shell, edits) while jailing it to the shared project so it can't read your home directory, keys, or other files. The enforcement is kernel-level on Linux (bubblewrap) and macOS (Seatbelt), and a portable “soft jail” on Windows.
This has its own page: The remote sandbox →
Host decides permissions
Beyond the sandbox, the host assigns each guest an access tier that decides what their CLI may do — read-only, edit, or shell — and a tier can only tighten the host's base policy, never loosen it. File edits go back to the guest (their risk); shell commands run on the host (the host's risk), so shell is off by default and raised only for people you trust.