Security / local-first boundaries

Explore Better security model

Powerful local tools should expose less authority than the user who launched them, not more.

Explore Better

Separate boundaries for separate jobs

The renderer, local backend, filesystem helper, terminal service, elevated terminal broker, and MCP sidecar each receive only the interface needed for their role.

Desktop boundary

The Electron renderer uses a narrow preload bridge; navigation and external links are restricted, and the HTTP backend is loopback-only with a launch capability.

MCP boundary

Local stdio forwards typed requests over an authenticated, same-user named pipe keyed to a revocable profile.

Elevation boundary

The main app stays non-elevated. A UAC-approved headless broker owns exactly one administrator ConPTY session when explicitly requested.

Explore Better

Writes are transactions

Copies, moves, overwrites, and AI-planned mutations use staging, backups, durable journal phases, source-removal tracking, cancellation, recovery, and undo.

Plan binding

Apply tokens bind the profile, session, operation, normalized paths, conflict policy, plan digest, and filesystem signatures.

Path controls

Canonicalization and reparse-point resolution block root escape, device paths, alternate streams, app state, journals, and drive-root deletion.

Local audit

Thirty-day rotating records capture policy and operation metadata without storing file contents or capability tokens.