Skip to main content
Comis is designed with security as a priority. Every message, every tool call, and every stored piece of data is protected by multiple layers of defense — most of which work automatically without any configuration.
You don’t need to understand the technical details to use this feature. The configuration examples below are copy-paste ready.
Plain-language summary: Comis assumes someone will eventually try to trick your agent. To make that hard, every message, response, tool call, and saved memory passes through 22 independent checks. If any one check is wrong, the others still hold. Most of them are on by default — you don’t have to do anything.

Security at a Glance

Comis uses a defense-in-depth approach to security. 22 independent protections work together, so if one layer ever fails, the others still keep you safe. Think of it like a castle with walls, a moat, guards, and locked doors — no single protection is the only thing standing between you and a threat.
What it does: Stores your API keys and passwords with AES-256 encryption so they never appear in plain text on disk.Why it matters: If someone gains access to your config files, they still cannot read your secrets without the encryption key.Do I need to configure it? Yes — run the setup wizard to initialize your secrets vault. See Secrets Management for details.
What it does: Scans incoming messages for attempts to trick your agent into ignoring its instructions. This includes detecting hidden commands, role-switching attacks, and other manipulation techniques.Why it matters: Bad actors can craft messages designed to hijack your agent — making it reveal private data or behave in unintended ways. Injection defense catches these attempts before they reach your agent.Do I need to configure it? No — it is on by default. No action needed.
What it does: Sets spending limits per conversation and per day so your agent cannot run up unexpected costs with AI provider API calls.Why it matters: AI API calls cost money. Without budget limits, a runaway conversation or a malicious user could drain your account. Budget protection is your financial safety net.Do I need to configure it? Yes — set your preferred limits in the agent configuration. See Agent Safety for details.
What it does: Requires your sign-off before agents take high-impact actions like deleting files, sending messages to other channels, or modifying system configuration.Why it matters: Some actions are too important to let an AI decide alone. Approval gates give you a human-in-the-loop for anything you consider high-risk.Do I need to configure it? No — approval gates are on by default for destructive actions. See Approvals to customize which actions require approval.
What it does: Prevents your agents from accessing internal network resources or private servers when fetching web content. This blocks a class of attacks known as Server-Side Request Forgery, where a crafted message tricks the system into reaching your internal infrastructure.Why it matters: If your agent can fetch URLs, an attacker might try to make it access internal services (like databases or admin panels) that should never be reachable from the outside.Do I need to configure it? No — it is on by default. No action needed.
What it does: Records every security-relevant action in structured logs — including tool calls, approval decisions, secret access, and configuration changes.Why it matters: You can review exactly what your agents did and when, providing accountability and making troubleshooting straightforward.Do I need to configure it? No — audit logging is on by default. See Audit to learn how to review your logs.
What it does: Embeds invisible tracking markers in your agent’s instructions. If an attacker tries to extract the system prompt, the canary triggers an alert so you know an attempt was made.Why it matters: System prompt extraction is a common attack against AI agents. Canary tokens turn a silent theft into a detectable event.Do I need to configure it? No — canary tokens are inserted automatically. No action needed.
What it does: Checks every agent response for accidentally leaked secrets or sensitive data before the message is sent to the chat.Why it matters: Even if something goes wrong internally, your API keys, passwords, and other sensitive data will not reach the conversation. Output scanning is your last line of defense.Do I need to configure it? No — it is on by default. No action needed.
What it does: Validates and sanitizes everything written to your agent’s long-term memory, assigning trust levels based on the source. System-provided knowledge is trusted more than user-provided messages.Why it matters: An attacker could try to poison your agent’s knowledge by crafting messages designed to be remembered and later recalled as facts. Memory protection prevents this by tagging and validating every memory entry.Do I need to configure it? No — memory protection is automatic. Trust levels are assigned by source.
What it does: Runs every shell command your agent issues inside a kernel-enforced sandbox. On Linux it uses Bubblewrap with full namespace isolation; on macOS it uses Apple’s sandbox-exec. The sandbox limits what files the command can read or write and blocks network access by default.Why it matters: Tool-using agents sometimes need to run commands. A sandbox makes sure that even if the agent is fooled into running something unwanted, the damage stays inside a small isolated playground.Do I need to configure it? No — the sandbox is automatic on supported platforms. See Sandbox Reference to customize allowed paths.
What it does: Drives API-key CLIs (Claude Code included) with the real key kept entirely out of the sandbox. The key stays in the daemon’s encrypted store and is injected at the network boundary — so cat /proc/self/environ inside the sandbox shows only a placeholder, never the real credential.Why it matters: Even a sandboxed process can read its own environment variables. The credential broker removes the key from the environment entirely, so prompt injection or a sandbox escape cannot extract the real API key from inside the namespace.Do I need to configure it? Yes — add an executor.broker.bindings entry for each CLI you want to drive. Two built-in presets are available today: anthropic and finnhub. Credential Broker →
What it does: Protects the gateway — the front door to your daemon — with bearer-token authentication and optional mutual TLS (mTLS) for production deployments. Comparisons are timing-safe so attackers cannot guess tokens by measuring response time.Why it matters: The gateway is how the CLI, web dashboard, and external integrations talk to Comis. Without authentication, anyone who can reach the port could run commands on your agents.Do I need to configure it? Recommended for any non-localhost setup. The setup wizard generates a token automatically. See Hardening to enable mTLS.
What it does: Adds three runtime guards that catch problems as they happen: a circuit breaker that pauses calls to a failing AI provider, a step counter that limits how many tool calls one message can trigger, and a tool output sanitizer that scrubs any leaked credentials from tool results before they reach the model.Why it matters: Stops cascading failures, prevents runaway loops, and keeps secrets from leaking through chained tools.Do I need to configure it? No — runtime safeguards are on by default. See Agent Safety to tune limits.

Want the Full Picture?

Defense in Depth

All 22 defense layers explained in detail

Secrets Management

Managing your API keys and passwords safely

Hardening Guide

Maximize your security posture

Security Reference

Technical security documentation