CLOSED MESH
Per-process firewall. Sandboxed apps.
Every byte leaving Aether is mediated by the main process. Sandboxed apps have no raw network capability. Egress is logged.
space-os · Security
Open chain. Closed mesh.
Two trust zones, drawn deliberately. The public chain is open to anyone. Your personal mesh — desktop, mobile, inference, paired peers — is closed to outside integrations. The boundary is enforced in the runtime, not just policy.
01 · Boundary
Open chain. Closed mesh.
space-os has two distinct trust zones. The public chain is permissionless — anyone deploys contracts, anyone runs nodes, anyone audits traffic. The personal mesh — your Aether desktop, paired phone, inference calls, Hyperworld surface — is closed. Only your paired devices speak to each other. Only sandboxed apps run inside. The boundary is enforced in the runtime, not just policy.
- Public chain — open, permissionless, auditable
- Personal mesh — paired devices only, no outside integrations
- Apps in the Desktop App come from us; widgets and nodelets come from anyone
- Boundary enforced in the runtime, not just policy
02 · Desktop firewall
Every byte leaving Aether is accounted for.
Aether ships with a per-process network firewall inside the desktop runtime. Every outbound request — from the agent, from a sandboxed app, from a skill — is mediated by the main process. Sandboxed apps have no direct network capability; they call host tools that round-trip through signed-fetch with your keys. Egress is logged; surprising destinations surface in Settings.
- Per-process egress monitoring inside the runtime
- Sandboxed apps have no raw network capability
- All outbound calls go through main → signed-fetch with your keys
- Egress log surfaces unexpected destinations
- Allowlist-by-default; deny-on-anomaly
03 · Rollover timelock
If something looks off, we lock the keys.
A rollover timelock guards anything that touches keys or balances. After an inactivity threshold or on detected anomaly — sudden transaction volume, unusual destinations, unexpected device — signing capability auto-suspends. Re-authentication is required to resume. Policy changes themselves are timelocked: any new rule waits the rollover window before it takes effect, so no single device can silently relax security.
- Inactivity timer auto-suspends signing capability
- Anomaly detector trips on tx volume, destinations, new devices
- Re-auth required to resume — passphrase or hardware key
- Policy changes are themselves timelocked
- Visa Stamps revocable per-app, per-device, instantly
04 · Mesh monitoring
The WireGuard mesh is paired peers, monitored.
Paired devices run a WireGuard mesh. Tunnels come up on demand and register with relays. Peer-RPC calls between devices are allowlisted per-tool — your phone can request a search via your desktop's residential IP only because you granted that capability. We monitor relay traffic for abuse patterns: unusual peer counts, replay attempts, tunnel churn. Outside devices cannot route into the mesh — there is no public ingress.
- WireGuard tunnels with automatic relay registration
- Per-device, per-tool peer-RPC allowlists
- Bandwidth, packet stats, peer health visible in Settings
- Relay traffic monitored for abuse patterns
- No public ingress — outside devices cannot route in
05 · Inference sandbox
Model providers see prompts. They don't see you.
Inference calls — local or routed through SpaceRouter — are isolated from the mesh. Providers receive prompt payloads and return tokens; they cannot call back into the mesh, cannot enumerate paired devices, cannot read memory or wallet state. Provider receipts are signed for billing only. The capability manifest a provider node advertises is the contract — anything outside it is rejected at the relay.
- Provider nodes receive prompts only — no mesh access
- No outbound callbacks from inference into your devices
- Signed billing receipts; nothing else returned
- Capability manifests gate what work a provider can take
- API keys are scoped, rotatable, and revocable from Aether
06 · Apps vs widgets
Apps come from us. Widgets come from anyone.
The Desktop App runs apps from the App Store — first-party only. We publish, we sign, we audit. Widgets and nodelets are the open layer: anyone can author, publish and install one, but they run with sharply reduced capability — no raw fetch, no chain calls, no peer-RPC unless explicitly granted. Per-skill security taints follow data through the runtime; the registry search is remote and inspectable.
- Apps — only published by us, signed and audited
- Widgets & nodelets — open layer, anyone can publish
- Widgets run sandboxed: no raw fetch, no chain, no peer-RPC
- Per-skill security taints follow data through the runtime
- Remote registry search — every widget inspectable before install
07 · Public chain
Permissionless. Auditable. Open spec.
The chain is the opposite of the mesh. Anyone deploys contracts to the embedded EVM. Anyone runs validators, providers or relays under the Open Node Protocol. Anyone audits the explorer. The threat model on-chain is "code is law" — the same as Ethereum. Funds and identity are protected by your keys, held in KIS in a separate trust domain. Compromise of any one network service can't move funds without crossing the trust boundary.
- Permissionless contracts — anyone deploys to the EVM
- Permissionless nodes — Open Node Protocol is the spec
- KIS holds keys in a separate trust domain
- Three-wallet model — connected · proxy · native
- Public block explorer for every transaction
08 · Key custody
Keys live in KIS. Region follows you.
Wallet keys are held in KIS — the Key Issuing Service — a Rust process on a separate trust domain. Keys never appear in the app API, in logs, or in backups outside KIS itself. The four-mode model maps to where the key actually lives: Mode 0 (one central pod), Mode 1 (regional pods in your jurisdiction — EU or US — for MiCA / GDPR data residency), Mode 2 (your Aether desktop, Phase 2), Mode 3 (threshold / MPC, Phase 3). Mode 1 has no cross-region failover by policy — residency takes precedence over availability. When you change jurisdictions, an X25519 + ChaCha20Poly1305 cryptographic ceremony moves the key between regional pods without the relay ever seeing cleartext.
- Four custody modes — central → regional → user-hosted → threshold
- Mode 1 regional pods in EU + US — keys stay in jurisdiction
- Cross-region migration ceremony — encrypted envelope, relay can't decrypt
- Mode 2 user-hosted — Aether desktop sidecar; keys never cross to our servers
- Sovereign-to-sovereign device migration (Phase 2.5) — both endpoints user-controlled
- Counsel-notification audit hook — paper trail for above-threshold custody changes
- No cross-region failover — residency over availability, by design
- Proxy-contract pattern (Safe + AllowanceModule) for delegated signing
Threat model
Two zones. One identity. Your keys, your call.
The chain is public on purpose. Your mesh is closed on purpose. Anything that crosses the line — a sandboxed app asking for the network, an inference provider asking for a callback, a new device asking to join — must clear the boundary first.