Skip to main content
A personal assistant stores your API keys, conversation history, credentials, and memory. GenosOS treats security as a first-class architectural concern, not a configuration checkbox.

Two-layer security architecture

GenosOS uses two distinct layers that serve different purposes and have different trust properties.

Immutable layer

Defined in ## Safety in system-prompt.js at position 4. This layer enforces anti-injection patterns, identity verification, and session integrity. It is hardcoded in the codebase — no agent, user, or external content can modify or delete these rules. This is architectural protection, not just textual policy.

Personalizable layer

Defined in SECURITY.md in your workspace at position 18. This layer covers scope of trust, vault awareness, channel restrictions, and custom red lines. It is editable per-agent and per-workspace, giving you control over policies while leaving the immutable foundation intact.

Security layers

LayerImplementation
Encryption at restNYXENC1 (AES-256-GCM, PBKDF2)
Key managementmacOS Keychain → env → .env fallback
Biometric authWebAuthn / Touch ID
DM policyPairing (8-char alphanumeric code) / allowlist / closed
Tool executionApproval gates per tool category
FilesystemTransparent write/edit encryption
AuditTamper-evident checksums
SecretsBuffer zeroing after use
OS hardeningSpotlight + Time Machine exclusion
Auto-lock30-minute vault timeout

Gateway binding

The gateway binds to loopback only (127.0.0.1) by default. It refuses to start on a non-loopback interface without an auth token.
Never expose the GenosOS gateway directly to the public internet. For remote access, use SSH tunnels or Tailscale Serve/Funnel while keeping the gateway on loopback.

DM pairing

The default DM policy is pairing: unknown senders receive an 8-character alphanumeric code and their message is not processed until you approve it. Public access requires explicit opt-in (dmPolicy="open" plus "*" in the channel allowlist).

Channel tool restrictions

Not all channels carry the same trust level. GenosOS applies a deny-only pipeline step automatically:
  • WebUI — unrestricted (localhost + WebAuthn already protect this surface)
  • WhatsApp / Telegram / Discord / Signalexec, bash, and process commands are denied
  • Voice calls — nearly everything denied except session management
This means a WhatsApp contact cannot instruct the agent to run shell commands, even if the agent is otherwise fully capable.

Tamper-evident audit log

All security-relevant events are written to an audit log protected by HMAC checksums. Any modification to a log entry is detectable.

Automated security checks

Run genosos doctor at any time to surface risky or misconfigured policies. The autonomous doctor engine runs 7 checks and can auto-fix common issues. You can also ask your assistant directly: “run security audit”.

Next steps

Secret vault (NYXENC1)

AES-256-GCM encryption for all config and credentials, with transparent write/edit encryption.

Fortress Mode

One command to enable full hardening: Keychain storage, buffer zeroing, SQLite hardening, and more.