Microsoft Internal Preview · Integrates with M365

An AI agent that does real work
— under your control

It writes code, runs your office, and keeps working while you're away. Every action is governed, and it lives in Microsoft Teams and Web Chat.

One-click Install View on GitHub
runs locally — self-hosted every action scored 0–10 code + office
Powered by GPT-5.5 Claude Opus 4.8 more
See it in action

One assistant, every channel

The same agent across Microsoft Teams and Web Chat — office tasks and project workflows, side by side.

Live Demo — real workflows across channels
Teams Morning briefing, email triage, and approval workflows
workpilot.newfuture.cc/chat Spec review, design drafting, and cross-system orchestration
Proactive & self-improving

Always on. Always improving.

Schedule work in plain language, or let it act and learn on its own — with results pushed back to you in Teams.

Scheduled

Your cron · interval · event jobs. Simple, readable, version-controlled files.

"Every weekday 8am, brief me."

Heartbeat

On its own pulse it learns from your history, extracts and refines reusable skills, and runs upkeep — health checks, maintenance, and updates.

Background

Fork a long job in the background or delegate to Claude Code or GitHub Copilot.

"Run this migration in the background."

Pushed to you

Results land in Teams or Web Chat; a decision needed → an approval card on your phone.

Autonomy, never unsupervised. Unattended actions are scored more strictly, risky ones wait for one tap from you, every step is on the record, and E-Stop halts all.And what it learns lives as plain text on your machine — read it, edit it, delete it.
Security

You're in control

Every operation is scored 0–10 and mapped to four graduated actions — auto-execute, timed auto-approve, human approval, or block. No binary approve/deny fatigue.

Quantified risk

0–10 scoring — auto-execute, timed auto-approve, human approval, or block. Approval cards pushed to Teams and beyond.

Global E-Stop

One command halts all tool calls. Must be explicitly reset by an authorized user.

Credential protection

Two-stage leak scanning with auto-redaction. Token cache encrypted at rest.

Data sovereignty

No WorkPilot backend holds your data — it goes only to your chosen model and an opaque relay. Enterprise-sanctioned models only.

Command Sandbox Path Sandbox SSRF Protection Audit Logging RBAC Profiles Entra ID Auth MCP Risk Policy Injection Defense Sub-agent Isolation Approval Escalation Secret Redaction Encrypted Secrets
Read the Security Whitepaper
Ecosystem

Native to Microsoft 365

WorkPilot is built for organizations that run on Microsoft. Authenticate once with Entra ID and reach your agent everywhere.

Teams

Chat with your AI assistant directly in Teams. Read and send Teams messages, approve risky actions with interactive cards — without switching apps.

Outlook

Read, triage, and draft email replies. Check your calendar and manage meetings — in conversation or automatically in the background.

OneDrive

Search, read, and manage files in OneDrive and SharePoint. Access team documents and shared libraries through natural language.

Copilot + Claude

Local Copilot / Claude Code on coding, review, and research — Delegate for background tasks, Bridge to drive the CLI from Teams or Web Chat.

Entra

Sign in once with your Microsoft account. Your identity carries across Teams, Web Chat, and CLI automatically.

Azure

DevOps work items, pipelines, repos, and deployments. Manage Azure resources, subscriptions, and resource groups.

GitHub

Create issues, open PRs, search code, and manage repos. Combine with Copilot for end-to-end AI-assisted development.

Microsoft+

Access Microsoft-internal services like ICM, Service Tree, and Kusto through natural language. Authentication handled automatically.

Installation

One command, ready to go

WorkPilot runs on your machine. The Cloud Gateway is a stateless, content-opaque relay — no WorkPilot backend holds your data.

Hobby project for now — not a production release yet — feedback welcome!

Install WorkPilot

PowerShell / Terminal — auto-installs uv + Python if needed

irm https://aka.ms/workpilot/install.ps1 | iex

You'll be prompted to launch WorkPilot at the end. Microsoft sign-in happens automatically on first Teams or Web Chat connection. To start manually later, run wp (or workpilot). You can also rerun the same command anytime to upgrade to the latest version.

Full documentation: aka.ms/workpilot/docs

Add WorkPilot to Microsoft Teams

Auto-checked on startup. One-click install from the command line — or download the package manually.

wp teams install

Or download: teams-app.zip → Teams → Apps → Upload a custom app.

To remove: run wp teams uninstall, or in Teams → Apps → Manage your apps → remove WorkPilot.

Get on the Cloud Gateway allowlist

Hosted Teams & Web Chat are in preview — open a request to get on the allowlist, or join our Teams thread to read the details.

Architecture

How the agent runs on your device

Channels stay outside the loop — every message crosses an in-device message bus into a local agent loop, where a governed gate runs every tool call across four tool sources.

Channels Message bus Agent loop Extensible tooling Governed gate Models (endpoints) Cloud & external servers
Channels outside the loop CLI Cloud relay content-opaque Teams Web Chat Your device the whole agent runs locally Message bus Inbound admits sends Events typed pub/sub Outbound returns answers send reply send reply Agent loop · reason ⇄ act Tool sources extensible · governed by the gate admit research · prime context light · optional Context assembly • system prompt • memory facts • relevant history (auto-injected) • recent messages Memory facts · sessions compaction · loop feeds LLM Provider reason · decide · call prompts + context → ← tokens stream back tool calls cleared repeat until final answer publishes final answer → bus Tool calls — governed & executed · no bypass Preflight e-stop · permissions · risk 0–10 · approve Execute runs in parallel Postflight leak-scan · append-only audit Branch 1 Dynamic tools loaded on demand Always-on core + on demand expands as needed Branch 2 Sub-agents spawned + delegated Explorer HistorySession Copilot Claude BizChat Branch 3 Skills markdown workflows SKILL.md bundled · project Procedures install from multiple stores reusable playbooks Branch 4 MCP open protocol many servers hundreds of tools → External servers behind the gate untrusted by default Models Endpoints Fallback your provider · primary + fallback your provider · your tenant External servers Microsoft work ecosystem · via MCP Incidents Kusto DevOps Graph Teams / Outlook SharePoint reached through the governed MCP tools untrusted · always behind the gate reaches out Channels outside the loop CLI Cloud relay content-opaque Teams Web Chat ↓ both channels send into the device's inbound bus ↓ Your device bus + agent loop Message bus Inbound Events typed pub/sub Outbound admit final answer → bus Agent loop · reason ⇄ act research · prime context light · optional Context assembly system prompt memory facts relevant history recent messages Memory facts · history sessions compaction loop detect LLM Provider reason · decide · call Models Endpoints primary · fallback tool calls cleared repeats Tool calls — governed & executed · no bypass Preflight e-stop · permissions · risk 0–10 · approve Execute runs in parallel Postflight leak-scan · audit cleared results Tool sources · the gate runs each one Branch 1 · Dynamic tools loaded on demand always-on core + standard tools, activated as needed Branch 2 · Sub-agents Explorer · HistorySession · Copilot · Claude · BizChat scoped helpers · restricted · results return to the loop Branch 3 · Skills markdown workflows SKILL.md — bundled · project · install from multiple stores Branch 4 · MCP open protocol many servers · hundreds of tools connected on demand · untrusted by default links to External servers ↓ — every reach-out is gated reaches out External servers Microsoft work ecosystem · via MCP Incidents Kusto Azure DevOps Graph Teams / Outlook SharePoint reached through the governed MCP tools untrusted · always behind the gate

Every message — from the local CLI, or from Teams / Web Chat behind a content-opaque relay — crosses the in-device message bus into a local reasoning loop. There a governed gate runs every tool call (preflight → execute → audit) across four sources: sub-agents, dynamic tools, skills, and MCP. Only prompts to your chosen model and that opaque relay traffic ever leave the device.

Under the hood

Designed for real, long-running work

The engineering behind the diagram — what keeps it reliable on real, long-running work.

// the agent loop
Thinks before it actsPrimes context from your workspace and memory before the first token.
Parallel, safelyPreflight → concurrent execute → postflight; repeated calls to the same tool run in order.
Catches itselfLoop detection (repeat · poll · ping-pong) course-corrects mid-run.
// context & memory
Coherent over 100+ turnsTopic-aware compaction keeps the thread — not blunt token-trimming.
Learns what mattersSearchable long-term memory; unused facts fade, affirmed ones reinforce.
Lean tool schemaOn-demand tool loading cuts schema tokens by ~70%.
// models, your way
Enterprise-owned modelsRuns on the LLMs your org sanctions — provider-agnostic, switch per task.
Adapts per taskReasoning depth auto-tuned; vision switches on for attachments.
Steerable mid-runInject a course-correction that holds across model families.
// governance & infra
Deterministic risk scoringMost shell risk scored without an LLM — no latency, reproducible.
Decoupled by designTyped message bus, bounded queues, a 3-phase hook pipeline.
Inspectable, not a black boxMemory, config, and history are plain text you can read, version, and audit.
Get started

Ready to try it?

One command to install. WorkPilot runs on your machine.

Install WorkPilot Web Chat Teams GitHub