Security

Your AI agent runs inside a hardened Podman container, completely isolated from your host system. The container is locked down with enterprise-grade security flags:

• All capabilities dropped .the container starts with zero Linux capabilities, preventing privilege escalation.
• Non-root execution .the agent process runs as an unprivileged user (uid 1000), never as root.
• No new privileges .the security option prevents any process inside the container from gaining additional privileges.
• Proper init process .a dedicated init process handles signal forwarding and zombie reaping.

When the AI agent wants to execute a command on your system, a multi-layer security system controls what's allowed:

1. Default deny.any command not on the allowlist requires your explicit approval before execution.
2. Shell analysis — commands are parsed and blocked if they contain dangerous patterns like subshells, redirects, or command injection attempts.
3. Safe command bypass .read-only tools like grep, jq, and sort are auto-allowed when used in safe, read-only mode.
4. Approval UI.for any unrecognized command, you see a clear prompt with options to Deny, Allow Once, or Allow Always.
5. Persistent allowlist .your approval decisions are saved locally with restrictive file permissions so you don't have to re-approve trusted commands.

The Cookie OS desktop application uses Electron's strictest security configuration:

• Full safe space mode .the UI renderer has no direct access to Node.js, the filesystem, or system APIs.
• Context isolation .the renderer and main process run in separate JavaScript contexts with a strictly defined communication bridge.
• No node integration .the UI cannot execute arbitrary system commands or access files directly.

• HMAC-SHA256 challenge-response .communication between the app and the agent runtime uses cryptographic authentication. A random challenge is issued on every connection and validated before any commands are accepted.
• Token-based API access .internal REST APIs use Bearer token authentication with a cryptographically random 128-bit token generated at each startup.
• Secure credential storage .API keys and tokens are stored with restrictive file permissions (chmod 0600) and never transmitted to our servers.

• Loopback-only binding .all internal ports are bound to 127.0.0.1. No service is accessible from other machines on your network.
• No open ports .Cookie OS does not expose any ports to the internet. All communication happens locally between the app and the container.
• Direct API calls .when you use a third-party AI provider, requests go directly from your machine to the provider. We never proxy or intercept your API traffic.

• Local-first storage .all databases (chat history, kanban, reminders, memory) are SQLite files stored on your machine. Nothing is synced to the cloud.
• Path traversal protection .all file operations validate paths to prevent directory traversal attacks. The agent cannot access files outside its designated workspace.
• Soft-delete with restore .deleted files are moved to a local trash folder, not permanently removed, giving you a safety net.