Platform Security
Technical security measures including OS-level sandboxing, OWASP compliance, prompt injection defense, and workspace isolation.
The platform implements comprehensive security measures designed for AI-powered workflows where agents execute code and access external services on your behalf.
Workspace Isolation
How It Works
Every desktop app agent session operates within a confined workspace directory. The agent cannot read, write, or execute files outside this boundary.
Enforcement layers:
- Application-level — The API validates all file paths against the workspace root
- OS-level sandbox — macOS Seatbelt or Linux Bubblewrap enforces filesystem boundaries at the kernel level
- Folder permissions — Each folder access requires explicit user consent
OS-Level Sandbox
| Platform | Technology | Enforcement |
|---|---|---|
| macOS | Seatbelt (sandbox-exec) | Kernel-level filesystem access control |
| Linux | Bubblewrap (bwrap) | Namespace-based isolation |
| Windows | Application-level validation | Path validation in API layer |
The sandbox profile denies all filesystem access by default, then allowlists only:
- The configured workspace directory (read/write)
- System libraries and runtimes (read-only)
- Temporary directories needed for execution
What Agents Cannot Access
Even within a running session, agents are blocked from:
- SSH keys —
~/.ssh/and all contents - Cloud credentials —
~/.aws/,~/.gcloud/,~/.azure/ - GPG keys —
~/.gnupg/ - Docker configs —
~/.docker/ - Environment files —
.env,.env.local, and similar - System directories —
/etc/,/System/,/usr/(write-blocked)
Authentication Security
Web Platform
- Supabase Auth handles all authentication
- Multi-factor authentication (MFA) available for all accounts
- OAuth 2.0 with PKCE for social sign-in (Google, GitHub)
- Session management with secure, httpOnly cookies
- Rate limiting on authentication endpoints
Row-Level Security (RLS)
Every database table has RLS policies that enforce access control at the database level:
- Users can only query their own data
- Team members can only access data within their team
- Admin permissions are checked for sensitive operations
- RLS cannot be bypassed by application code
Role-Based Access Control
| Role | Permissions |
|---|---|
| Owner | Full control, including billing and team deletion |
| Admin | Manage members, settings, and resources |
| Member | Use features and view shared resources |
AI Safety Measures
Prompt Injection Defense
The platform protects against prompt injection attacks:
- XML delimiters separate system instructions from user input
- Content sanitization removes known injection patterns
- Injection pattern detection flags suspicious input
- System prompt isolation prevents agents from modifying their own instructions
Agent Boundaries
Agents operate within strictly defined boundaries:
- Tool allowlisting — Agents can only use explicitly configured tools
- Workspace confinement — File operations limited to the workspace directory
- Execution limits — Maximum turns, timeouts, and iteration caps prevent runaway agents
- Cost tracking — Per-message cost monitoring helps detect unexpected behavior
OWASP Agentic Applications Compliance
The platform addresses the OWASP Agentic Applications Security top risks:
| Risk | Mitigation |
|---|---|
| ASI01: Agent Misuse | Role-based access, tool allowlisting, workspace isolation |
| ASI02: Model Manipulation | Prompt injection defense, content sanitization |
| ASI03: Uncontrolled Actions | Two-phase execution (plan + approve), execution limits |
| ASI04: Data Exposure | RLS, credential encryption, sensitive file blocking |
| ASI05: Supply Chain | MCP server verification, dependency auditing |
| ASI06: Excessive Permissions | Minimal tool exposure, scoped OAuth, folder consent |
| ASI07: Denial of Service | Rate limiting, execution timeouts, cost caps |
| ASI08: Logging Gaps | Structured logging, audit trails, Langfuse tracing |
| ASI09: Insecure Communication | HTTPS/TLS, CORS allowlisting, webhook HMAC verification |
Network Security
Web Platform
- HTTPS only — All traffic encrypted with TLS
- CORS — Origin allowlisting prevents unauthorized cross-origin requests
- Input validation — Zod schemas validate all API inputs
- Rate limiting — Prevents abuse of API endpoints
Desktop App
- Local API — The backend runs as a local process, not exposed to the network
- Webhook verification — HMAC-SHA256 signatures with timing-safe comparison
- Replay protection — Timestamps validated to prevent webhook replay attacks
- IP allowlisting — Optional IP restrictions for webhook endpoints
Secure Development Practices
- All dependencies regularly audited for vulnerabilities
- Secrets never logged or included in error responses
- Git staging filters prevent committing sensitive files
- Structured logging with PII-safe output
- Regular security review of agent tool implementations