Skip to main content
Comis assumes the LLM will be attacked. Every message your agent reads could contain a hidden instruction. Every web page it fetches could carry an injected payload. Every tool call could be a step toward exfiltration or destruction. Comis is built around that assumption: 22 categorical defenses (24 distinct security primitives in the code) work together so no single failure compromises your system. Most of these protections work automatically — you benefit from them without configuring anything. This page introduces the security model, explains what happens behind the scenes, and points you to the detailed guides for each security feature.

Security Philosophy

Comis follows three core principles that shape every security decision in the platform. Understanding these principles helps you make sense of how the various security features work together and why they are designed the way they are.

Defense in Depth

No single layer is expected to catch everything. Multiple overlapping protections mean that if one layer misses something, the next layer catches it. Your messages pass through input validation, jailbreak detection, output scanning, and more — each layer operating independently. Think of it like a castle with walls, a moat, guards, and locked doors — no single protection is the only thing keeping you safe. The platform groups its protections into eight defensive categories — perimeter, secrets, network, process isolation, access control, memory, detection, transport — spanning 22 categorical layers (or 24 distinct primitives, depending on how you count). For the full catalog of every security layer and how they connect, see Defense in Depth.

Secure by Default

Comis ships with sensible security defaults. Audit logging is on, destructive action confirmation is required, log redaction prevents credential leaks, and content scanning blocks dangerous skills. You do not need to be a security expert to run a safe setup. The majority of protections listed below are active the moment you start Comis — no configuration file edits required.

Fail Closed

When something unexpected happens, Comis errs on the side of caution. Unknown actions are treated as destructive. Unrecognized content patterns trigger warnings. Timeouts result in denial, not approval. If Comis is unsure whether something is safe, it assumes it is not. This means new tools and new action types are restricted by default until you explicitly allow them.

What Works Automatically

These protections are active out of the box with zero configuration. They protect you from the moment you start Comis. You do not need to enable them, configure them, or even know they exist — they just work.
  • Input validation catches malformed or oversized messages before they reach your agent
  • Jailbreak detection scans for manipulation attempts using 65 distinct injection patterns across 8 categories (jailbreak phrasing, role markers, dangerous commands, secret formats, prompt extraction, credential logging, invisible characters, content scanner)
  • Injection rate limiting detects persistent manipulation attempts from the same user over time
  • External content wrapping isolates fetched web pages and emails so hidden instructions cannot hijack your agent
  • Content scanning checks custom skill content for dangerous patterns before loading
  • Output scanning checks every response for leaked secrets and redacts them before they reach the user
  • Canary tokens detect prompt extraction attacks by embedding invisible trackers in system prompts
  • SSRF protection blocks requests to internal networks and cloud metadata endpoints (AWS/GCP/Azure 169.254.169.254, AWS ECS 169.254.170.2, Alibaba 100.100.100.200)
  • Path traversal prevention blocks file system escape attempts (../, URL-encoded, null byte, symlink escapes)
  • Exec sandbox wraps every shell command in an OS-level filesystem namespace (bubblewrap on Linux, sandbox-exec on macOS) so the system.exec tool cannot bypass file-tool path checks
  • Memory write validation prevents memory poisoning by scanning content before storage
  • Log sanitization scrubs 18 credential patterns from log output
  • Config redaction hides secrets from API responses and dashboard views
  • Email sender filter rejects messages from non-allowlisted senders and auto-detects bulk/automated mail (RFC 3834 Auto-Submitted, Precedence, List-Unsubscribe headers)
All of the above are active with zero configuration. They protect you from the moment you start Comis.

What You Configure

While automatic protections handle most threats, a few security features need setup or explicit enablement to match your specific deployment requirements. These are optional but recommended for production environments.
  • Encrypted secrets store — Protect your API keys with AES-256 encryption at rest. See Secrets.
  • Approval workflow — Require human approval before agents perform destructive actions. See Approvals.
  • Tool policy — Restrict which tools each agent can use based on its role. See Tool Policy.
  • Hardening checklist — Tighten file permissions, gateway security, and more for production deployments. See Hardening.
  • Audit logging — Already enabled by default, but review what is captured and how to access it. See Audit.
If you are just getting started, you do not need to configure any of these right away. The automatic protections provide strong baseline security. Come back to this section when you are ready to prepare for production.

Quick Security Check

Not sure how your installation stacks up? Comis includes a built-in security audit that checks your configuration against recommended practices. 
comis doctor
The audit examines configuration, daemon, gateway, channel, and workspace health across all check categories — then tells you exactly what to fix and how to fix it. See Hardening for the full checklist and walkthrough.

Explore Security

Defense in Depth

All 22 layers (24 primitives) explained

Secrets

Managing API keys and passwords safely

OAuth

Subscription-based authentication for Codex

Approvals

Human-in-the-loop action approval

Audit

Audit logging and compliance

Skill Sandbox

Multi-layer protection for custom skills

Exec Sandbox

OS-level isolation for the exec tool

Hardening

Production hardening checklist

Security Quick Overview

The 2-minute security overview

Agent Safety

Budget limits and circuit breaker