Tasks signed, sandboxed, and exportable as audit trail.

Job inputs reach the runner only through a single chokepoint that refuses anything except HTTPS to public hosts. Loopback, RFC1918 home networks, AWS metadata addresses, and link-local IPs are rejected — even via redirect. Downloads are magic-byte checked: a runner asking for an image cannot be handed a script. No shared state crosses tasks.

The macOS app ships with Apple's hardened runtime, a Developer ID Application signature, and an Apple-notarized + stapled DMG. Gatekeeper verifies all three before launch. Every Sparkle update is also EdDSA-signed with a private key we hold; your Mac refuses any update that doesn't verify against the public key baked into the shipped binary.

The provider app declares the `com.apple.security.network.client` entitlement — and only that. It cannot open sockets, accept inbound connections, or read your camera, microphone, contacts, or files outside its container. All outbound traffic is TLS 1.2+. The blanket ATS exemption that was present in pre-1.5 builds is gone.

The router signs each task assignment with Ed25519. Your Mac refuses anything that doesn't verify against the pinned public key, with a 5-minute clock-skew window and replay protection. On completion, results are co-signed by the executing node and the coordinator; the envelope is exportable as JSONL so you can prove what ran, where, and when.

Your session token lives in the macOS Keychain under kSecAttrAccessibleWhenUnlockedThisDeviceOnly — physically inaccessible to anything running while the screen is locked, and never synced via iCloud Keychain. Existing entries from older builds were upgraded automatically on first launch of 1.5.0.

Model bundles fetched through ModelManager go through a signed manifest. The Mac SHA-256s every byte and refuses any model that doesn't match what we published. A compromised mirror cannot serve a backdoored model — the manifest signature would fail first.