1. User Message → Agent Response
The end-to-end flow from a Telegram message to a response.2. Core Tool Call — Direct Sandbox Execution
When the LLM callsread, write, patch, or exec with a regular command (not a tool launcher).
Example: exec curl https://example.com
Key point: The command runs entirely inside the sandbox. The gateway only logs and routes — it never executes curl itself.
3. Core Tool Call — File Operations
read, write, and patch all follow the same pattern: gateway runs docker exec to operate on files inside the sandbox.
Example: write("/workspace/script.ts", "console.log('hello')")
4. Tool Launcher Call — Double Routing
The most important flow. Whenexec runs a plugin tool (found on $PATH via /tools/bin/), the request bounces back to the gateway through the Unix socket.
Example: exec git set trip:paris "March 15"
Two audit log entries are created:
core_tool/exec— the exec call itselftool/git— the actual tool invocation through the socket
5. Tool Call — Permission Denied
When an agent tries to use a tool it’s not allowed to access.Note: The tool launcher forslackwould only exist in the sandbox if the agent’s config includesslackin its tools list. In practice, a denied call means the agent config was changed after container creation, or there’s a bug. But the policy engine is the last line of defense regardless.
6. Script Toolchain — Agent Writes and Executes Code
The agent can write scripts that chain multiple tool calls. This is the “let agents write code” principle in action.
Each plugin tool call inside the script still routes through the gateway socket, gets policy-checked, and is audit-logged. There’s no way to bypass this from within the sandbox.
7. Telegram Streaming Flow
How responses are streamed back to the user in Telegram.Telegram edits are rate-limited to ~1/second to avoid API errors. The final message is always sent as a complete edit.
8. TUI Channel — Interactive Terminal Session
The TUI runs as a separate process (beige tui) and connects to the gateway’s HTTP API. The LLM session runs locally in the TUI (full pi experience with editor, streaming, model switching, compaction), but all LLM calls are proxied through the gateway and tool execution is proxied through the gateway. The TUI never needs API keys.
Key architecture points:
- The TUI process has no API keys — the gateway resolves them server-side
- LLM calls go through
POST /api/chat/stream, where the gateway handles auth, audit logging, prePrompt/postResponse hooks, and fallback model logic- Tool execution goes through
POST /api/agents/:name/exec, where the gateway handles sandbox routing, audit logging, and policy enforcement- If the primary model is rate-limited, the gateway automatically tries fallback models and sends a
model_fallbackevent to the TUI
9. LLM Proxy — Gateway-Side Fallback and Hooks
When the TUI (or any client) callsPOST /api/chat/stream, the gateway handles auth, hooks, and fallback logic server-side.
Key points:
- The client sends a single request — fallback is transparent
- Each model attempt gets its own audit log entry
- Rate-limit cooldowns are persisted in
~/.beige/data/provider-health.jsonand survive gateway restarts- The
model_fallbackevent lets the client update its UI if desired
10. Session Lifecycle
Sessions persist across gateway restarts. Each conversation gets its own.jsonl file.
