Workspace Security
Multi-layer security with OS-level sandboxing, workspace isolation, folder permissions, and credential protection.
The desktop app implements a multi-layer defense strategy to ensure AI agents operate safely within defined boundaries. Every layer works independently so that if one is bypassed, the others still protect your system.
Defense Layers
Layer 1: Input Validation
All API inputs are validated before reaching the agent:
- Path traversal blocking -- Rejects
../, symlink evasion, null bytes - System path blocking -- Blocks access to OS system directories
- Zod schema validation -- Every API endpoint validates its inputs
Layer 2: OS-Level Sandbox
The strongest boundary -- enforced by the operating system itself:
| Platform | Technology | Description |
|---|---|---|
| macOS | Seatbelt | Kernel-level sandbox profiles restricting file and network access |
| Linux | Bubblewrap | Container-like isolation with namespace restrictions |
The sandbox enforces filesystem rules:
- Allow write: Session directory + optionally the user's workspace
- Deny write: Shell configs (
.bashrc,.zshrc), credential stores - Deny read: Credential directories (
.ssh,.aws,.gnupg,.git-credentials,.npmrc,.pypirc)
Layer 3: System Prompt Boundaries
The agent's system prompt defines operating zones:
- Which directories the agent can access
- What types of operations are permitted
- Backup-before-overwrite and read-before-write requirements
Layer 4: Folder Permission Consent
A Cowork-style permission model where:
- When the agent needs access to a folder, a dialog appears
- You choose: Once, Today, Always, or Never
- Non-permanent permissions reset on app restart
- Each folder tracks its read/write permission state
Layer 5: Bash Command Validation
Before the agent runs any shell command:
- Paths are extracted and validated against the workspace boundary
- Commands are checked against an allowlist
- Dangerous operations are blocked
Workspace Isolation
How Workspaces Work
Every task operates within a defined workspace:
- Session directory (
workDir) -- Always writable, used for agent output - User workspace (
userWorkspaceDir) -- Your project folder, read-only by default
To give the agent write access to your project:
- Select a folder using the folder picker
- Grant write permission when prompted
- The agent can now modify files in that folder
Folder Permissions
The folder permission system tracks:
| Permission | What It Means |
|---|---|
| Read | Agent can view file contents |
| Write | Agent can create and modify files |
| Once | Permission expires after this task |
| Today | Permission expires at end of day |
| Always | Persists across sessions |
| Never | Blocks access completely |
Recent folders are tracked for quick access in the folder picker.
Credential Protection
The app protects sensitive credentials at multiple levels:
Encrypted Storage
OAuth tokens are encrypted at rest:
- Algorithm: AES-256-GCM
- Key derivation: PBKDF2-SHA512 with 100,000 iterations
- Unique IVs: Per-file unique initialization vectors
- Salt: 32-byte random salt per encryption
Encrypted tokens are stored at ~/.<app-slug>/auth/<provider>.enc.
Denied Paths
The sandbox explicitly blocks agent access to credential directories:
~/.ssh/~/.aws/~/.gnupg/~/.git-credentials~/.npmrc~/.pypirc
Git Staging Filters
When creating pull requests (via the Linear Pipeline), the staging process filters:
.envfiles.keyand.pemfiles- Other known sensitive file patterns
Tauri Capabilities
The desktop shell restricts its own permissions:
| Capability | Scope |
|---|---|
| File System | Read/write scoped to app data and user directories |
| SQL | Execute, select, load, close (SQLite only) |
| Shell | Spawn/kill processes, execute sidecar |
| Dialog | Native folder/file picker |
| Notification | OS notifications for task completion |
| Opener | Open URLs and files in default apps |
File system access is scoped to:
$HOME/.<app-slug>/**-- Application data$HOME/.claude/**-- Claude Code configuration$DOWNLOAD,$DESKTOP,$DOCUMENT-- Standard user directories
CORS and Network Security
- CORS origin allowlist -- Only the Vite dev server, Tauri webview, and production API
- 10 MB request body limit -- Prevents oversized payloads
- SSRF validation -- User-supplied URLs validated to block private IPs and cloud metadata
OWASP Agentic Application Mitigations
The app addresses the OWASP Top 10 for Agentic Applications (2026):
| Threat | Mitigation |
|---|---|
| Goal Hijack | XML delimiter-based prompt injection defense |
| Tool Misuse | OS-level filesystem sandbox |
| Privilege Abuse | No auto-merge, scoped operations, credential denial |
| Excessive Agency | Workspace boundaries, session directory confinement |
| Unexpected Code Execution | Verification loop (lint + typecheck, max 3 retries) |
| Insufficient Sandboxing | OS-level enforcement + denied read paths |
| Cascading Failures | Per-phase timeouts, total pipeline timeout (60 min) |
| Human Trust Exploitation | No auto-merge, explicit human review via Slack |
Learn More
- Agent System -- How agents operate within these boundaries
- Linear Pipeline -- Security in the autonomous workflow
- Desktop Application -- Overview and setup