Triple-Lock Security
Aartiq uses a defense-in-depth model with three independent security layers: visual sandbox, syntactic firewall, and human-in-the-loop authorization. Source implementations: src/lib/Security.ts, src/lib/SecurityValidator.js, src/core/command-validator.js
3
Security Layers
22
Gated IPC Channels
9
Monitoring-Only Channels
Architecture
The Three Layers
Visual Sandbox
The AI perceives web pages through screenshots and OCR rather than raw HTML, making it immune to DOM-based manipulation.
How It Works
- Full-page screenshots provide visual context
- Tesseract.js OCR extracts visible text and layout
- SecureDOMParser analyzes content for injection patterns and strips executable code
- AI Fortress masks API keys and secrets before content reaches the LLM
- Source files: src/lib/Security.ts, src/lib/html-sanitizer.js, src/components/ai/SecureDOMReader.ts
Benefits
- Prevents prompt injection via DOM manipulation
- No JavaScript can influence AI behavior
- Hidden elements remain invisible to AI
- Malicious scripts cannot reach the AI layer
Syntactic Firewall
Every command is analyzed for dangerous patterns before execution.
How It Works
- Commands are scanned for shell primitives (rm -rf, sudo, dd)
- Encoded payloads and obfuscation are decoded and checked
- Jailbreak patterns and role-override attempts are blocked
- Network-based attacks (curl to malicious servers) are prevented
- Source files: src/lib/SecurityValidator.js, src/core/command-validator.js
Benefits
- Stops known attack patterns at the gate
- Prevents accidental destructive commands
- Provides logging for security audits
- Custom rules can be added by administrators
Blocked Patterns
rm -rfRecursive deletesudo Privilege escalationdd if=Direct disk write:(){ :|:& };:Fork bombeval(base64Encoded payloadcurl\s+-Network requestwget\s+Network downloadMonitored Patterns
rm File deletionchmod 777Permission changekill Process terminationHuman-in-the-Loop
Critical actions require explicit human approval before execution.
How It Works
- AI generates a command with proposed action
- User sees the exact command before execution
- Medium risk: User can approve with keyboard shortcut
- High risk: User must scan QR code with mobile app
- Command only executes after explicit approval
- Source files: src/main/handlers/permission-handlers.js, src/components/ai/ClickPermissionModal.tsx, src/main/permission-store.js
Benefits
- No automated execution of destructive commands
- QR approval ensures physical presence
- Mobile app confirms identity
- User approval required for execution
Approval Tiers
Low Risk
Instant / Shift+TabRead-only actions, navigation, volume changes
• Taking screenshots
• Navigating to URLs
• Adjusting volume
Medium Risk
Shift+Tab RequiredActions that modify browser state or open apps
• Filling forms
• Clicking buttons
• Opening applications
High Risk
QR Code + Mobile ApprovalShell commands, external app clicks, system changes
• Shell command execution
• External app automation
• File modifications
Threat Model
Threat Scenarios
See how each security layer protects against common attack vectors.
Prompt Injection via Hidden Text
A malicious webpage hides prompt injection instructions in invisible text
Defense
Visual Sandbox prevents the AI from seeing hidden DOM elements. OCR only captures visible, rendered text.
Malicious JavaScript Redirect
A webpage uses JavaScript to redirect the AI to a phishing site
Defense
The AI only sees screenshots of the actual rendered page. JavaScript execution is blocked from the AI's perspective.
Social Engineering via Commands
An attacker tricks the AI into running 'rm -rf /'
Defense
The Syntactic Firewall blocks execution of dangerous shell patterns regardless of how the command is phrased.
Context Injection via Context Switching
A webpage contains instructions that attempt to override AI behavior
Defense
All user-provided content is filtered for injection patterns before reaching the AI context.
Unauthorized Shell Execution
AI autonomously executes a destructive shell command
Defense
Human-in-the-Loop requires explicit approval for all shell commands. High-risk commands require QR approval.
Remote Code Execution
AI is tricked into downloading and running malicious code
Defense
Shell commands requiring downloads are blocked by default. User approval ensures no unauthorized code execution.
Permissions
Permission Levels
Screen Reading
Required for AI to see page content
Shell Execution
Required for terminal commands
App Launching
Required for opening applications
File System Access
Required for PDF generation and downloads
Network Access
Required for web browsing and API calls
Clipboard Access
Required for copy/paste functionality
High-Risk Actions
QR Code Approval
Mobile App Approval
High-risk actions require physical confirmation via the Aartiq mobile app.
Action Triggered
AI attempts high-risk command
QR Displayed
Desktop shows unique QR code
Scan & Verify
Mobile app scans QR
PIN Confirmation
Enter 6-digit verification code
Command Executed
Action proceeds after approval
Security Guarantees
- QR codes are single-use only
- Each QR code is cryptographically unique
- PIN codes are generated per-session
- Mobile must be paired via secure handshake
- Failed attempts are logged with timestamps
- All approvals are logged with timestamps
Encryption
E2E Encryption
AES-256-GCM
All sensitive data at rest is encrypted using AES-256-GCM with authenticated encryption and PBKDF2 key derivation.
AES-256-GCMPBKDF2-SHA256600,00012 bytesImplementation
Use Cases
Source: src/lib/crypto-utils.ts
API Key Storage
API Key Protection
Key Redaction
API keys are automatically masked in logs and console output
Bearer|token|api[_-]?key|secret→ [REDACTED]Secure Storage
Keys stored in encrypted electron-store with OS keychain integration
Environment Isolation
Keys are never exposed to renderer process without explicit access
Auto-Masking
AI prompts are scrubbed for API keys before processing
sk-... (OpenAI)AIza... (Google)anthropic-... (Anthropic)gsk_... (Groq)Source Files
src/lib/firebaseConfigStorage.ts, src/lib/shared-keychain.js
Token Generation
Method
crypto.getRandomValues()Entropy
256-bit CSPRNGUses
Session tokens, pairing codes, QR verification
Capability Model
Capability-Scoped
Instead of trying to detect dangerous requests via regex, the system constrains what actions the AI can invoke at all — each with its own approval policy.
Register
Each allowed action is explicitly registered with a named handler and an approval tier. If an action isn't registered, it doesn't exist as a callable surface. The controller is wired into both the main process (main.js) and the command executor (command-executor.js).
Execute
Execution is gated by the controller. Unregistered actions are rejected outright. Registered actions are allowed or queued for approval based on their tier.
neverApproved automatically (read-only)first-time-per-sessionApproved once per sessionalwaysRequires explicit confirmation each timeWhy this matters
Regex-based threat detection can be bypassed — obfuscation, synonyms, and encoding all defeat pattern matching. A capability-scoped model doesn't try to detect danger in text; it removes the dangerous primitive from the attack surface entirely. If there's no registered run_shell_command action, no amount of prompt injection can invoke one.