Security

Callipso is local-first. Your voice, your code, your session data stays on your machine. No cloud processing, no telemetry of session content, no third-party access to your work.

Core Principles

Local-first

Voice transcription, session data, and terminal communication never leave your machine unless you enable fleet mode.

Protect by default

All local data files use owner-only permissions (0600). AES-256-GCM encryption is available for sensitive fields. Nothing leaves your machine.

Validate at every boundary

Every IPC channel, HTTP endpoint, and shell command is validated and rate-limited independently.

Data at Rest

All data stays on your machine. Session history, transcription results, and search indexes are stored in local SQLite databases and JSON files with owner-only file permissions (0600). An AES-256-GCM encryption layer with domain-separated keys and Keychain-stored master key is available for sensitive fields like fleet mode payloads.

  • Owner-only file permissions (0600) on all data files
  • All data stored locally — never sent to external servers
  • AES-256-GCM with Keychain-stored keys for fleet payloads
  • Domain-separated key derivation for isolation

Process Isolation

The renderer runs in a fully sandboxed process. It cannot access the file system, spawn processes, or use Node.js APIs. All communication goes through validated IPC channels.

  • Context isolation enabled
  • OS-level sandbox enabled
  • Node integration disabled
  • Navigation and window-open blocked

IPC and HTTP Hardening

Every IPC channel is registered in a central allowlist. The HTTP server binds to localhost only, with URL-parsed CORS, security headers, request size limits, and per-IP rate limiting.

  • Central channel allowlist with preload validation
  • Per-channel rate limiting by sensitivity tier
  • Localhost-only HTTP binding
  • CSP, X-Frame-Options, and referrer policy headers

Voice and Transcription Privacy

Speech-to-text runs entirely on your device using CoreML (Apple Neural Engine) or Parakeet (local MLX inference). Audio is never sent to a cloud service. Recordings are processed in memory. Transcription history is stored locally in a SQLite database with owner-only file permissions (0600).

  • On-device STT inference only
  • No cloud audio processing
  • No audio storage after transcription
  • Transcription history in local SQLite with owner-only permissions
  • Microphone access requires explicit macOS permission

Fleet Mode Security

When fleet mode is enabled for multi-machine orchestration, all communication is authenticated and encrypted with per-peer keys. Messages include tamper detection and replay protection.

  • Timing-safe token authentication
  • Per-peer AES-256-GCM payload encryption
  • HMAC message authentication
  • Replay protection with message expiry

Shell and Input Safety

All shell commands use argument arrays instead of string interpolation to prevent injection. User-facing content is escaped before rendering. Auth tokens are stored in the OS keychain.

  • No shell string interpolation
  • Dedicated sanitization for session IDs and paths
  • HTML escaping on all user-controlled content
  • Terminal input control character stripping

Code Signing and Notarization

Every production build is signed with an Apple Developer certificate and submitted for Apple notarization. macOS Gatekeeper verifies the signature on first launch. The hardened runtime flag enforces code integrity, and entitlements are scoped to exactly what the app requires: microphone access, network communication, and Apple Events for terminal automation.

Frequently Asked Questions

Does Callipso send my data to the cloud?

No. Voice transcription runs on your machine. Session data stays on your machine. The only network calls are authentication (Google/GitHub OAuth) and optional fleet mode on your local network. There is no telemetry server that receives session content.

How is session data protected?

Session history is read from Claude Code's local JSONL files and indexed in a local SQLite database for fast full-text search. All files use owner-only permissions (0600). Data never leaves your machine — the search index, transcription history, and configuration files all stay in your user directory.

Can a compromised plugin access my files?

No. The renderer runs in a sandboxed process with Node.js integration disabled and context isolation enabled. It can only communicate with the main process through validated IPC channels. File system access is restricted to specific handlers that validate paths.

How is fleet mode secured?

Fleet mode uses token authentication with timing-safe comparison, per-peer payload encryption, message authentication, and replay protection. The HTTP server requires authentication on every fleet request.

How is voice transcription history stored?

Transcription results and clipboard entries are stored locally in a SQLite database at ~/Library/Application Support/callipso/clipboard-history.sqlite. The database file has owner-only permissions (0600) and never leaves your machine. The data is searchable via FTS5 full-text search, queried on demand, and paginated so only the visible portion is loaded into memory at any time.

How do I report a security issue?

Email security@callipso.dev. We take all reports seriously and will respond within 48 hours.

For details on data collection and usage, see our Privacy Policy. For terms of use, see our Terms of Service.