Security
Terminal contents never logged. Private keys never leave your device.
Key management
- Default new key: software Ed25519 via CryptoKit. Stored in Keychain (WhenUnlockedThisDeviceOnly).
- Hardware-backed option: Secure Enclave ECDSA P-256. Biometric-gated. Never exportable.
- Imported keys stored in Keychain. Optional iCloud Keychain sync per-key.
- Session secrets held in CryptoKit memory only. Never persisted.
- Private keys never stored in CloudKit.
Transport security
- SSH: ChaCha20-Poly1305, AES-256-GCM, AES-256-CTR. Legacy ciphers available per-host with warning.
- Mosh: AES-128-OCB3 over UDP. Interoperable with upstream mosh-server.
- Backend API: TLS 1.3 to Cloudflare Workers. App Attest assertion on every request from native app.
- Web sessions: TLS 1.3 to Vercel. Sign in with Apple or magic link email. No App Attest (browser can't).
What we never collect
- Terminal contents. Not in logs, crash reports, diagnostics, or telemetry. Enforced by code invariant.
- SSH private keys. Not in CloudKit, not in backend, not in any analytics.
- Passwords. Keychain only. Never transmitted except to the SSH server during authentication.
- Command history (unless you opt in to iCloud sync).
- Location, contacts, photos, browsing history.
Safety rails
- Destructive command detector: regex + light AST for rm -rf, dd, mkfs, chmod 777, DROP TABLE.
- Tier-gated escalation: highlight, confirm, AI review, per-host prod safe mode, ninja-mode bypass.
- Paste safeguards: multiline confirm, risky-pattern highlight.
- OSC 52 clipboard: consent prompt on first access.
- Password masking: redacted from recordings and screenshots at write-time.
App security
- Hardened Runtime on macOS. Only com.apple.security.cs.allow-jit entitlement (for JavaScriptCore snippets).
- App Sandbox on all platforms.
- Notarized via Xcode Cloud.
- Supply chain: exact version pinning (SPM, Cargo, pnpm). cargo audit + swift package audit + pnpm audit in CI.
- App Attest binds API requests to the signed binary. Bots and tampered apps rejected.
Security disclosure
Report vulnerabilities to security@tapterminal.dev. 90-day disclosure window. No legal action against good-faith researchers. See security.txt.