Each CLI token has fine-grained scopes — session:create, sync:push, config:write, etc. Tokens are stored as SHA-256 hashes on the server; the full token is shown only once at creation and cannot be retrieved again. You control exactly what each token can do.

Your vault password is stored in the OS keychain (macOS Keychain, Linux libsecret, Windows Credential Manager) — not in a plaintext config file. Existing plaintext passwords are automatically migrated to the keychain on first run.

ko auth login opens a secure browser flow — you authenticate on the platform, and the CLI receives a scoped token automatically. No passwords are typed into the terminal. The flow includes CSRF state validation and reCAPTCHA bot protection.

Tokens can be created with expiration dates for time-limited access. Revoke any token instantly from the Settings page or via the API. Every token usage is tracked with lastUsedAt timestamps so you can audit activity.

Code snapshots pushed via ko sync push are encrypted on your machine before upload using AES-256-GCM with a key derived from your vault password (scrypt). The platform stores only ciphertext — it cannot read your code. Only you can decrypt it.

When your vault is unlocked, session messages and pipeline configurations are encrypted with your vault key before storage in the database. When your vault is locked, encrypted data is inaccessible — the server returns a “vault locked” response instead of plaintext.

The CLI's file read/write/edit tools are restricted to your project's working directory. Symlink escapes are detected and blocked. Access to sensitive paths like ~/.ssh, ~/.aws, and ~/.gnupg is denied by a hardcoded denylist.

The CLI detects and blocks compound shell commands (pipes, semicolons, backticks, subshells) in tool calls. Dangerous commands always require explicit user approval. Server-side admin commands use execFile (no shell) with strict input validation.

All 34 Knockout API endpoints are rate-limited with tiered limits — 5/min for auth endpoints, 20/min for resource creation, 30/min for mutations, 60/min for reads. In-memory sliding window per IP prevents brute-force and abuse.

Every mutating API request (POST/PUT/DELETE) from the browser is validated against Origin/Referer headers. CLI requests authenticate via Bearer tokens and bypass CSRF (stateless, no cookies). This prevents cross-site request forgery from malicious websites.

All inputs are validated with strict constraints — field lengths, type checks, enum whitelists, regex patterns, and semver format checks. Hostnames, SSH users, and ports are validated with allowlist patterns. No unbounded inputs reach the database.

HSTS (1 year), X-Frame-Options DENY, strict Content-Security-Policy, X-Content-Type-Options nosniff, and strict Referrer-Policy are enforced on every response via Next.js middleware. Frame-ancestors set to none prevents clickjacking.

CLI self-updates are verified with Ed25519 digital signatures. The signing public key is embedded in the binary at build time. If a downloaded update doesn't match its signature, it is rejected — protecting against MITM attacks and tampered binaries.

Skills installed from the marketplace are verified with Ed25519 signatures. Unsigned global skills are blocked unless explicitly trusted by the user. Project-level skills (in your repo) are loaded without signature requirements since they're under your version control.

The CLI's local Web UI WebSocket server binds to 127.0.0.1 only, validates Origin headers, and requires a one-time cryptographic nonce for connection. Malicious websites and local processes cannot connect without the nonce.

SSE connections use one-time stream tickets (30-second TTL, single-use) instead of embedding API tokens in URLs. This prevents token leakage through server access logs, proxy logs, and browser history.