Security

Architecture

FaynOS is local-first. Agent code, prompts, run outputs, credentials, and all execution data remain on your machine. The attack surface of the cloud layer is limited to account management, licence validation, and store metadata.

Secrets

All secrets stored in the Vault are encrypted at rest using AES-256-GCM with a key derived from your device identity. Raw secret values never appear in IPC responses, SDK return values, log files, or run records.

Agent sandboxing

Each agent runs in an isolated Node.js child_process. The kernel shares no memory with agent execution. Agents are capability-gated: a RESTRICTED agent cannot make outbound HTTP calls, access the filesystem, or call LLMs beyond what its profile permits. These restrictions are enforced by the SDK at the call site, not by trust.

Web platform

The web API runs on Cloudflare Workers. Sessions are HttpOnly, Secure, SameSite=Lax cookies. Passwords are hashed with PBKDF2-SHA256 at 210,000 iterations. Licence tokens are HMAC-signed with a server secret. All inputs are validated with Zod before any handler runs.

Responsible disclosure

If you discover a security vulnerability, please report it to security@faynos.com. Please do not open a public GitHub issue for security reports. We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities within 14 days.

We do not currently offer a bug bounty programme, but we will credit researchers who report valid vulnerabilities in our changelog and public acknowledgements.