Skip to main content
Fortress Mode applies every available hardening option in a single operation. It is designed for users who want the strongest security posture without reading a checklist.

Enable Fortress Mode

bun genosos.mjs agent --message "harden security"
You can also trigger it by typing the same message in the chat interface.

What Fortress Mode enables

FeatureDescription
macOS Keychain storageVault passphrase stored in Keychain — no interactive prompt on startup
Buffer zeroingSecret values zeroed in memory immediately after use
SQLite hardeningWAL mode enabled, integrity checks on startup
OS exclusions~/.genosv1/ excluded from Spotlight indexing and Time Machine backups
Vault auto-lockVault locks after 30 minutes of inactivity
Rate limitingGateway endpoints rate-limited to prevent brute-force attacks
Fortress Mode is idempotent — running it multiple times is safe. It checks current state and only applies what is not already enabled.

Autonomous doctor

The autonomous doctor engine runs 7 automated security checks and can auto-fix common misconfigurations. 
genosos doctor
You can also trigger it by telling your assistant: 
run security audit
For a deeper scan that includes skill analysis: 
config_manage security audit value=deep
The deep scan runs an 8-rule static scanner on all installed skills, checking for exec/spawn calls, eval usage, crypto-mining patterns, data exfiltration, environment harvesting, and obfuscated code.

WebAuthn / Touch ID

GenosOS supports biometric authentication for gateway access using WebAuthn (Touch ID on macOS).
1

Initiate registration

Tell your assistant: “register Touch ID”
2

Complete biometric prompt

A browser overlay appears. Touch the Touch ID sensor on your device.
3

Confirmation

The overlay closes and the agent confirms registration. Touch ID is now required for sensitive gateway operations.
The agent triggers the WebAuthn overlay on demand — you never need to navigate to a settings panel.

DM policies

DM policies control which external senders can reach the agent. Configure per-channel through conversation.
PolicyBehavior
pairingDefault. Unknown senders receive an 8-character alphanumeric code. Message not processed until approved.
openAnyone can message. Also set allowFrom: ["*"] to allow all senders.
closedNo new DMs accepted from unknown senders.
To configure a specific channel, tell your assistant: 
Set WhatsApp to pairing mode

Set Telegram to closed
Setting dmPolicy to open without also setting allowFrom: ["*"] is a misconfiguration. The autonomous doctor will flag this. GenosOS will warn and refuse to apply the change unless both fields are set together.

Security audit skill

Run a full security audit at any time: 
config_manage security audit
For deep scanning including skills analysis: 
config_manage security audit value=deep
The audit checks gateway binding, DM policies, vault status, channel tool restrictions, Keychain integration, audit log integrity, and installed skill safety.