Aartiq
Aartiq
Download
Security Model

Triple-Lock Security

Aartiq uses a defense-in-depth model with three independent security layers: visual sandbox, syntactic firewall, and human-in-the-loop authorization. Source implementations: src/lib/Security.ts, src/lib/SecurityValidator.js, src/core/command-validator.js

3

Security Layers

22

Gated IPC Channels

9

Monitoring-Only Channels

Architecture

The Three Layers

1

Visual Sandbox

The AI perceives web pages through screenshots and OCR rather than raw HTML, making it immune to DOM-based manipulation.

How It Works

  • Full-page screenshots provide visual context
  • Tesseract.js OCR extracts visible text and layout
  • SecureDOMParser analyzes content for injection patterns and strips executable code
  • AI Fortress masks API keys and secrets before content reaches the LLM
  • Source files: src/lib/Security.ts, src/lib/html-sanitizer.js, src/components/ai/SecureDOMReader.ts

Benefits

  • Prevents prompt injection via DOM manipulation
  • No JavaScript can influence AI behavior
  • Hidden elements remain invisible to AI
  • Malicious scripts cannot reach the AI layer
2

Syntactic Firewall

Every command is analyzed for dangerous patterns before execution.

How It Works

  • Commands are scanned for shell primitives (rm -rf, sudo, dd)
  • Encoded payloads and obfuscation are decoded and checked
  • Jailbreak patterns and role-override attempts are blocked
  • Network-based attacks (curl to malicious servers) are prevented
  • Source files: src/lib/SecurityValidator.js, src/core/command-validator.js

Benefits

  • Stops known attack patterns at the gate
  • Prevents accidental destructive commands
  • Provides logging for security audits
  • Custom rules can be added by administrators
Blocked Patterns
rm -rfRecursive delete
sudo Privilege escalation
dd if=Direct disk write
:(){ :|:& };:Fork bomb
eval(base64Encoded payload
curl\s+-Network request
wget\s+Network download
Monitored Patterns
rm File deletion
chmod 777Permission change
kill Process termination
3

Human-in-the-Loop

Critical actions require explicit human approval before execution.

How It Works

  • AI generates a command with proposed action
  • User sees the exact command before execution
  • Medium risk: User can approve with keyboard shortcut
  • High risk: User must scan QR code with mobile app
  • Command only executes after explicit approval
  • Source files: src/main/handlers/permission-handlers.js, src/components/ai/ClickPermissionModal.tsx, src/main/permission-store.js

Benefits

  • No automated execution of destructive commands
  • QR approval ensures physical presence
  • Mobile app confirms identity
  • User approval required for execution

Approval Tiers

Low Risk
Instant / Shift+Tab

Read-only actions, navigation, volume changes

Taking screenshots

Navigating to URLs

Adjusting volume

Medium Risk
Shift+Tab Required

Actions that modify browser state or open apps

Filling forms

Clicking buttons

Opening applications

High Risk
QR Code + Mobile Approval

Shell commands, external app clicks, system changes

Shell command execution

External app automation

File modifications

Threat Model

Threat Scenarios

See how each security layer protects against common attack vectors.

Prompt Injection via Hidden Text

A malicious webpage hides prompt injection instructions in invisible text

Defense

Visual Sandbox prevents the AI from seeing hidden DOM elements. OCR only captures visible, rendered text.

Visual Sandbox

Malicious JavaScript Redirect

A webpage uses JavaScript to redirect the AI to a phishing site

Defense

The AI only sees screenshots of the actual rendered page. JavaScript execution is blocked from the AI's perspective.

Visual Sandbox

Social Engineering via Commands

An attacker tricks the AI into running 'rm -rf /'

Defense

The Syntactic Firewall blocks execution of dangerous shell patterns regardless of how the command is phrased.

Syntactic Firewall

Context Injection via Context Switching

A webpage contains instructions that attempt to override AI behavior

Defense

All user-provided content is filtered for injection patterns before reaching the AI context.

Syntactic Firewall

Unauthorized Shell Execution

AI autonomously executes a destructive shell command

Defense

Human-in-the-Loop requires explicit approval for all shell commands. High-risk commands require QR approval.

HITL

Remote Code Execution

AI is tricked into downloading and running malicious code

Defense

Shell commands requiring downloads are blocked by default. User approval ensures no unauthorized code execution.

HITL + Firewall

Permissions

Permission Levels

Screen Reading

Required for AI to see page content

Required

Shell Execution

Required for terminal commands

High Risk

App Launching

Required for opening applications

Medium Risk

File System Access

Required for PDF generation and downloads

Required

Network Access

Required for web browsing and API calls

Required

Clipboard Access

Required for copy/paste functionality

Medium Risk

High-Risk Actions

QR Code Approval

Mobile App Approval

High-risk actions require physical confirmation via the Aartiq mobile app.

1
Action Triggered

AI attempts high-risk command

2
QR Displayed

Desktop shows unique QR code

3
Scan & Verify

Mobile app scans QR

4
PIN Confirmation

Enter 6-digit verification code

5
Command Executed

Action proceeds after approval

Security Guarantees

  • QR codes are single-use only
  • Each QR code is cryptographically unique
  • PIN codes are generated per-session
  • Mobile must be paired via secure handshake
  • Failed attempts are logged with timestamps
  • All approvals are logged with timestamps

Encryption

E2E Encryption

AES-256-GCM

All sensitive data at rest is encrypted using AES-256-GCM with authenticated encryption and PBKDF2 key derivation.

AlgorithmAES-256-GCM
Key DerivationPBKDF2-SHA256
Iterations600,000
IV Length12 bytes

Implementation

Authenticated encryption (GCM mode) — tampered ciphertext is rejected
Random salt + IV per encryption operation
PBKDF2 key derivation with 600,000 iterations (OWASP 2023+)
No silent fallback — encryption requires a passphrase or throws
encodeLocalOnly() as an explicit escape hatch for non-sensitive data

Use Cases

Sync credentialsEncrypted with user passphrase
API keysAES-256-GCM with derived key
Chat historyEnd-to-end encrypted sync
File transfersP2P encrypted relay

Source: src/lib/crypto-utils.ts

API Key Storage

API Key Protection

Key Redaction

API keys are automatically masked in logs and console output

Bearer|token|api[_-]?key|secret[REDACTED]

Secure Storage

Keys stored in encrypted electron-store with OS keychain integration

Environment Isolation

Keys are never exposed to renderer process without explicit access

Auto-Masking

AI prompts are scrubbed for API keys before processing

sk-... (OpenAI)AIza... (Google)anthropic-... (Anthropic)gsk_... (Groq)

Source Files

src/lib/firebaseConfigStorage.ts, src/lib/shared-keychain.js

Token Generation

Method

crypto.getRandomValues()

Entropy

256-bit CSPRNG

Uses

Session tokens, pairing codes, QR verification

Capability Model

Capability-Scoped

Instead of trying to detect dangerous requests via regex, the system constrains what actions the AI can invoke at all — each with its own approval policy.

Register

Each allowed action is explicitly registered with a named handler and an approval tier. If an action isn't registered, it doesn't exist as a callable surface. The controller is wired into both the main process (main.js) and the command executor (command-executor.js).

registerAction({
name: "click_element",
requiresApproval: "first-time-per-session"
})

Execute

Execution is gated by the controller. Unregistered actions are rejected outright. Registered actions are allowed or queued for approval based on their tier.

neverApproved automatically (read-only)
first-time-per-sessionApproved once per session
alwaysRequires explicit confirmation each time

Why this matters

Regex-based threat detection can be bypassed — obfuscation, synonyms, and encoding all defeat pattern matching. A capability-scoped model doesn't try to detect danger in text; it removes the dangerous primitive from the attack surface entirely. If there's no registered run_shell_command action, no amount of prompt injection can invoke one.