Security & safety

Built to stop before
it guesses.

Tab closure is destructive enough to deserve a transaction boundary. A saved snapshot and receipt are prerequisites—not cleanup after the fact.

Safety invariants

Rules the model cannot talk its way around.

01

Unknown means keep

Models cannot authorize closure of unknown or risky state. A user must deliberately override the warning for that exact tab.

02

Receipt before close

The lifecycle requires snapshot persistence, analysis completion, and receipt persistence before closure starts.

03

Close exact tab IDs

The reviewed plan names concrete tab IDs. Restore data never grants permission to close a different future tab.

04

Check internal consistency

Separate SHA-256 values are recomputed for the snapshot and receipt payload. They catch corruption or edits whose values were not recomputed; they are not signatures or tamper evidence.

05

Bound the artifact

After strict parsing, portable verification rejects receipts or snapshots above 10 million JavaScript characters or 5,000 tabs; relay schemas apply tighter field limits. This is not a pre-parse byte limit.

06

Redact before remote

When remote analysis is selected, known secret patterns are removed before transmission.

Threat boundary

The browser page is untrusted input.

Titles, URLs, page text, favicons, and model output can be misleading or malicious. They are data, never instructions. Deterministic policy remains outside the model.

  • Strict schemas reject extra model fields and invalid decisions.
  • Unsupported schemes are not eligible for automatic closure.
  • Incognito is unsupported. Pinned, audible, and detected stateful pages are protected by default; merely selected is not a risk.
  • Receipt verification checks schema, references, outcomes, and embedded integrity values for internal consistency.

Restore is recovery, not time travel.

A receipt can reopen URLs in a useful order. It cannot reconstruct every volatile application state. Authentication, forms, carts, live media, scroll positions, POST requests, expired signed URLs, and content changed by a site may be gone.

That limitation is why potentially stateful tabs should remain open. A restore button is not permission to close a risky tab.

Reporting

Security work should be specific and reproducible.

This is a pre-release codebase. Use the contact route for responsible disclosure; include the affected version, browser, minimal reproduction, and impact.

Use the repository’s private vulnerability-reporting route. Configure NEXT_PUBLIC_CONTACT_EMAIL before public deployment.

Receipt first. Close second.

Safety is a product behavior.

Inspect the demo receipt, lifecycle, and limitations before relying on closure.