Security model

Security is enforced at the boundaries, not asserted in copy.

Renderer

The renderer runs with the Chromium sandbox enabled, context isolation on, and Node integration off. It never imports Node, Electron, or native modules.

Execution

PTYs and spawned processes run under your user UID — scoped and guarded, not OS-sandboxed. proc:spawn refuses destructive commands (rm -rf, git reset --hard, git push --force, drop table/database, supabase db reset) at the spawn boundary. The agent exec allowlist is read-oriented; a hard-deny regex blocks shell metacharacters, sudo, and chmod 777.

Secrets

Provider keys are encrypted at rest in the OS keychain and never reach the renderer. .env values are masked before they leave the main process.

Network

A strict production CSP allowlists only localhost, api.anthropic.com, and api.openai.com for outbound connections. The main session denies all permission requests by default.

DevAware OS does not claim to be "fully sandboxed", certified, or audited. It ships built-in safety controls; third-party security tooling is not bundled.