osaurus

The project demonstrates strong security practices for user data and application integrity. API keys for remote providers are securely stored in the macOS Keychain. The plugin system incorporates explicit permission policies (e.g., 'ask', 'auto', 'deny') for tools, including granular macOS system permissions (Automation, Accessibility, Full Disk Access), giving users control over tool capabilities. All distributed plugins (dylibs) are required to be code-signed with a Developer ID Application certificate. The server runs locally by default and network exposure is a configurable user option. No obvious malicious patterns like obfuscation or direct `eval` usage are found in the core application logic. CI/CD scripts handle sensitive environment variables (e.g., GitHub tokens, Apple certificates) for release processes, which is standard but relies on the security of the CI environment itself.