Security
Security Configuration Guide
Synced from github.com/CoWork-OS/CoWork-OS/docs
This guide covers how to configure security settings in CoWork OS.
Channel Security Modes
Pairing Mode (Recommended)
Pairing mode requires users to enter a code to connect:
- Go to Settings > Channels > [Your Channel]
- Set Security Mode to "Pairing"
- Click Generate Pairing Code
- Share the 6-character code with the user
- User sends the code as a message to pair
Configuration:
Security Mode: Pairing
Pairing Code TTL: 300 seconds (default)
Max Pairing Attempts: 5 (default)
Allowlist Mode
Allowlist mode pre-approves specific users:
- Go to Settings > Channels > [Your Channel]
- Set Security Mode to "Allowlist"
- Add user IDs to the Allowed Users list
Finding User IDs:
- Telegram: Use @userinfobot
- Discord: Enable Developer Mode, right-click user
- Slack: User profile > More > Copy member ID
Open Mode (Use Carefully)
Open mode allows anyone to interact:
- Go to Settings > Channels > [Your Channel]
- Set Security Mode to "Open"
When to use:
- Private channels only you can access
- Testing environments
- Controlled internal deployments
Context Policies
Per-Context Security
Configure different settings for DMs vs groups:
- Go to Settings > Channels > [Your Channel] > Context Policies
- Select the Direct Messages or Group Chats tab
- Configure:
- Security mode per context
- Tool restrictions per context
Recommended Configuration:
| Context | Security Mode | Tool Restrictions |
|---|---|---|
| DMs | Pairing | None |
| Groups | Pairing | Memory tools (clipboard) |
Tool Restrictions
Restrict tool groups per context:
| Tool Group | Description | Default in Groups |
|---|---|---|
| Memory Tools | Clipboard read/write | Denied |
| System Tools | Screenshot, app launch | Allowed |
| Network Tools | Browser, web access | Allowed |
| Destructive Tools | Delete, shell commands | Allowed (with approval) |
Channel Specialization Policy
For shared gateway spaces, channel specialization adds a routing and policy layer on top of context policies:
- Go to Settings > Channels > [Your Channel] > Channel Specialization
- Choose a whole-channel default, a specific chat/group, or a topic/thread ID when the channel supports it
- Select the workspace and agent role for new tasks from that scope
- Add prompt guidance only when it should apply to every new task from that scope
- Apply tool restrictions for broad or semi-trusted groups
- Enable shared context memory only when the participants and workflow are trusted
Specialization tool restrictions merge with context-policy restrictions using deny-first behavior. A channel specialization must not contain provider tokens, bot credentials, or connector secrets.
Workspace Permissions
Basic Permissions
Configure per workspace in Settings > Workspaces. These booleans are coarse capability gates; the permission engine still evaluates explicit rules, guardrails, and mode defaults.
| Permission | Description | Default |
|---|---|---|
| Read | Read files | Yes |
| Write | Create/modify files | Yes |
| Delete | Delete files (usually approval-gated, unless a matching rule allows it) | No |
| Shell | Run shell commands (usually approval-gated, unless a matching rule allows it) | No |
| Network | Allow network-capable tools to run at all. Export-sensitive requests may still prompt, and domain guardrails/rules may still block specific destinations. | Yes |
Allowed Paths
Add paths outside workspace that tools can access:
- Go to Settings > Workspaces > [Your Workspace]
- Click Add Allowed Path
- Enter the path (e.g.,
/Users/me/shared)
Unrestricted Mode
Enable broader file access for development:
- Go to Settings > Workspaces > [Your Workspace]
- Toggle Unrestricted File Access
Warning: Only use in trusted environments.
Permission Rules
For explicit tool, domain, path, command-prefix, and MCP-server rules:
- Open Settings > System & Security
- Set the default permission mode if needed
- Add profile rules for global policy
- Use the workspace-local rule list to review or remove rules for the active workspace
Available rule scopes:
| Scope | What it matches | Typical use |
|---|---|---|
tool | One tool name | Always ask or always allow a specific tool |
domain | A destination hostname, optionally for one tool | Allow web_fetch or http_request only for api.example.com |
path | Absolute path prefix, optionally for one tool | Allow a tool only under a shared folder |
command_prefix | Normalized shell prefix | Auto-approve trusted read/test commands |
mcp_server | One MCP backend | Narrow access to a specific connector/server |
Common mode choices:
default- safe reads auto-run; writes, deletes, shell, data export, and external effects promptdangerous_only- recommended when you want fewer interruptions without fully disabling review; safe reads/edits and conservative read/test shell commands auto-run, while risky or ambiguous actions still promptdont_ask/bypass_permissions- high-autonomy modes for trusted environments only, but export-sensitive actions still require explicit approval
Workspace-local rules are stored in SQLite and mirrored to .cowork/policy/permissions.json.
Removing a workspace rule updates both storage locations when possible.
Export-Sensitive Operations
The permission engine now distinguishes ordinary network reads from outbound data export.
web_fetchis a normal network readhttp_requeststays a normal network read only for simpleGETorHEADrequests with no body and no custom headers- mutating or payload-carrying
http_requestcalls are treated asdata_export analyze_imageandread_pdf_visualare also treated asdata_exportbecause file bytes leave the local machineparse_documentis the local PDF/document text extraction path. Uploaded PDF excerpts and parser output are untrusted document data, but ordinary PDF reading does not leave the local machine unless a later export-capable tool is used.
This means:
- enabling workspace
Networkdoes not automatically suppress approval for these export paths dont_askandbypass_permissionsstill pause ondata_export- the session-level "Approve all" shortcut does not auto-approve export either
Practical examples:
- use a
domainallow rule forhttp_requestif a workspace should talk only toapi.example.com - keep
web_fetchopen to a docs domain while still requiring approval for raw API posts - expect imports, drag-and-drop files, and channel attachments to show up as untrusted sources in later export prompts
Sandbox Configuration
Sandbox Type
Choose your sandbox implementation:
| Type | Platforms | Features |
|---|---|---|
| Auto | All | Best available for platform |
| macOS | macOS only | Native sandbox-exec |
| Docker | All | Container isolation |
| None | All | No isolation (not recommended) |
Docker Configuration
If using Docker sandbox:
Image: node:20-alpine (default)
CPU Limit: 1 core (default)
Memory Limit: 512m (default)
Network Mode: none (default) or bridge
Prerequisites:
- Docker must be installed and running
- User must have permission to create containers
Guardrails
Command Blocking
Built-in blocked patterns:
sudo- Privilege escalationrm -rf /- Destructive deletionscurl | bash- Remote code execution
Add custom blocked patterns:
- Go to Settings > Guardrails
- Add patterns to Custom Blocked Patterns
Trusted Commands
Trusted commands feed the permission engine as compatibility rules:
- Go to Settings > Guardrails
- Enable Auto-approve Trusted Commands
- Default includes: npm/yarn test, git status, ls, etc.
The final decision still comes from the permission engine, so a trusted command can be overridden by an explicit deny rule or a higher-priority hard restriction.
Budget Limits
Set limits per task:
- Max Tokens: Limit API token usage
- Max Cost: Limit spending per task
- Max Iterations: Limit planning loops
Rate Limiting
Rate limits are automatic and not configurable:
| Operation | Limit |
|---|---|
| Expensive (LLM, search) | 10/minute |
| Standard | 60/minute |
| Settings changes | 5/minute |
Audit Logging
All messages and actions are logged automatically:
- Location:
~/Library/Application Support/cowork-os/ - Database:
cowork-os.db - Tables:
audit_log,channel_messages
Verification Checklist
After configuration, verify:
- Pairing mode enabled for external channels
- Context policies configured for groups
- Channel specializations reviewed for shared groups, channels, and threads
- Shared-memory opt-in enabled only for trusted specialized groups
- Workspace permissions appropriate
- Guardrails configured
- Permission rules reviewed
- Sandbox type selected
- Test with a pairing code