Skip to content
Katachi

Security

Security is Katachi’s number one priority. Here’s how we protect your code, credentials, and communications.

Core Principles

Section titled “Core Principles”
  1. Your code never leaves your machine — The agent runs locally; only structured API calls flow through the tunnel
  2. Zero-trust tunnel — All traffic is encrypted end-to-end via Cloudflare
  3. Defense in depth — Multiple layers of authentication and authorization

Encryption

Section titled “Encryption”

In Transit

Section titled “In Transit”

All communication routes through the Katachi Backend, acting as a secure relay. The browser never connects directly to your local machine:

  • Browser ↔ Backend: Standard HTTPS with HSTS
  • Backend ↔ Agent: TLS 1.3 via Cloudflare’s encrypted tunnel infrastructure
  • No plaintext traffic at any point

At Rest

Section titled “At Rest”
  • API keys: Stored in your OS keychain, encrypted with a machine-specific key
  • Tunnel credentials: Encrypted on disk using a machine-derived key based on a hardware-bound device fingerprint (MAC address, CPU info, motherboard serial)
  • Local session data: Chat history and workspace memory are stored in a local SQLite database, encrypted on disk using SQLCipher and a hardware-bound device fingerprint to prevent data theft across machines.
  • Cloud MCP configurations: Any API keys or sensitive environment variables provided for your managed MCP servers are encrypted at rest in our cloud PostgreSQL database using AES-256-GCM.

Authentication

Section titled “Authentication”

User Auth

Section titled “User Auth”

Users authenticate with industry-standard OAuth 2.0 with support for:

  • Social login (GitHub, Google)
  • Email/password

Agent Auth

Section titled “Agent Auth”

The agent authenticates via a device authorization flow — you approve the connection in your browser, and the agent receives a secure token for subsequent requests. All subsequent agent-to-backend API calls (such as heartbeat and activity events) are secured via HMAC-SHA256 signatures with strict timestamp validation to prevent interception and replay attacks.

Sandboxing

Section titled “Sandboxing”

The agent runs AI operations within a security sandbox (Note: Windows environments currently run without sandboxing restrictions):

  • Command restrictions — AI processes can only execute allowed commands
  • File access — Restricted to allowed workspace directories
  • Network — AI processes cannot make arbitrary network requests

Reporting Vulnerabilities

Section titled “Reporting Vulnerabilities”

If you discover a security vulnerability, please report it responsibly:

📧 [email protected]

We take all reports seriously and will respond within 48 hours.