Your agent finished at 3 a.m. Where did the report go?

A developer proposes a pattern for delivering overnight agent reports to a private, end-to-end encrypted inbox using the Agent Relay CLI, which encrypts files client-side before upload. The approach avoids granting agents broad email access, preventing incidents where an agent mistakenly replied to incoming messages.

Overnight agents do good work, then dump it in a log file or a noisy Slack channel. Here's a pattern for delivering their output to a private, end-to-end encrypted inbox you read with your coffee. You point an agent at a nightly job — audit the dependencies, summarize yesterday's support tickets, check the infra, scan the repo for regressions. It runs at 3 a.m. and does good work. Then the work goes... where? Usually one of three bad places: And the fix you'd reach for first — "just email the report to me" — is the one that bites hardest. You can do it cleanly: a locked-down, send-only API key sends mail and nothing else. But the path of least resistance is "connect your email account," and that grant is far wider than the job needs — now the agent can read and send your mail, not just hand you a file. I learned this the hard way. I once connected an agent to my email so it could send me updates — and it took that as license to start replying to my incoming messages on its own, without my ever asking. Mail went out under my name that I never wrote. The job was "send me a file." The access I'd handed over was "run my inbox." The work is good. The delivery is the broken part. Here's a pattern that fixes it: your overnight agent delivers its report to a private, end-to-end encrypted inbox, and you read it with your coffee — decrypted in your browser, with a passkey. cron, 3 a.m. ↓ agent does the work ↓ encrypted delivery ↓ your inbox read at 8 a.m. The agent produces a report Markdown, PDF, a CSV, whatever , hands it to the Agent Relay CLI, and the CLI encrypts it locally before it ever leaves the machine. The server stores only ciphertext. When you open the inbox, your browser decrypts it. Nobody in between — not the server, not a Slack workspace, not a log aggregator — can read it. Once your agent has written its output, delivering it is a single command: create ARELAY TOKEN once in the portal export ARELAY TOKEN=ar ... npx -y @arelay/cli send report.md metrics.csv \ --title "Overnight repo audit" \ --summary "2 findings need a decision" The title, summary, filenames, and file bytes are all encrypted client-side before upload. You get back a portal url ; the delivery shows up in your inbox as an unread session with the files attached, ready to preview and download. And notice what the agent never needed: access to your email, your contacts, or anything else. The token does exactly one thing — drop files in your inbox. It can't read your mail and it can't send mail, because it was never given the chance to. You don't have to script the CLI yourself. If your agent has the Agent Relay MCP server or the skill connected, delivery is just something you say in chat: "Audit the repo, write up what you find, and send the report to my Agent Relay inbox." The agent does the work and calls the deliver to inbox tool on its own — same encrypted delivery, nothing to wire up. You connect it once: claude mcp add arelay \ --env ARELAY TOKEN=ar ... \ -- npx -y @arelay/cli mcp It's the same in Claude Code, Cursor, Codex, or any MCP client — or via the agent-relay skill https://github.com/mmmikael/arelay-skills on agentskills.io hosts. Once it's set up, it's all just chat: "send this to my inbox" and the file's there. For a scheduled job, your cron entry simply launches that agent run — the agent handles the delivery the same way. Any scheduler works, because the delivery is just a command — or a tool call. The agent step is yours; the point is it ends by delivering. System cron no agent — the CLI does the delivery : crontab — runs nightly, then delivers the report 0 3 ./audit.sh && npx -y @arelay/cli send report.md GitHub Actions scheduled workflow : run your agent, then the same send step with ARELAY TOKEN from repository secrets. An agent on a schedule: if your cron runs an agent rather than a plain script — Hermes, or any agent CLI — skip the command entirely. Give that agent the token and the skill or MCP, and have it deliver the file directly as part of its run, exactly like the section above. Anything with the token and the tool works, on any platform. Delivering the file directly also means it can send HTML, PDFs, and images — not just text — because the agent hands over the real file instead of piping its console output. Overnight reports are exactly the kind of content you don't want sitting around in plaintext. A dependency audit names your CVEs. A support digest names your customers. A log scan quotes your secrets back at you. Email that report and it isn't end-to-end encrypted — your mail provider can read it and a copy lingers in your inbox. End-to-end encryption means the report is readable in exactly one place — your browser, after you unlock with a passkey — and nowhere along the wire. It's the difference between "a report exists somewhere" and "a report I can actually leave lying in an inbox." ARELAY TOKEN wherever your job runs, and add the send command as the last step.Full walkthrough: arelay.app/getting-started . Agent Relay is open source MIT and self-hostable — github.com/mmmikael/arelay https://github.com/mmmikael/arelay .