Skip to content

Security, Privacy & IPC

Ekrem EDALI edited this page May 20, 2026 · 2 revisions

Because KoBar requires access to your clipboard, screen (for screenshots), and system media, security and privacy are our top priorities. We believe that a desktop utility should empower you without compromising your data.


πŸ”’ Privacy & Local-First Storage

KoBar is a local-first application.

  • No Cloud Syncing: Your notes, clipboard history, to-do lists, and configuration settings are stored entirely on your local machine using electron-store.
  • API Keys: If you use the AI Hub, your API keys (OpenAI, Gemini, Anthropic) are saved securely on your local disk. KoBar never transmits your API keys or chat logs to any server other than the direct provider you are communicating with.
  • Offline Capable: Almost all of KoBar's features (except for the AI Hub and Calendar syncing) work completely offline.

πŸ›‘ Electron Security Architecture

KoBar adheres to the strict security guidelines recommended by the Electron framework.

Strict Context Isolation

The React frontend (Renderer Process) operates in a completely isolated sandbox.

  • nodeIntegration: false
  • contextIsolation: true This means that even if a malicious script were somehow executed in the React frontend, it would have zero access to your file system or operating system.

No @electron/remote

The deprecated and insecure @electron/remote module is strictly forbidden in the KoBar codebase.


πŸŒ‰ The IPC Bridge (ContextBridge)

Because the frontend is isolated, it cannot execute OS-level commands (like reading the clipboard or taking a screenshot) directly. Instead, it must ask the Main Process to do it on its behalf.

This is achieved using a strongly-typed Inter-Process Communication (IPC) bridge:

  1. Preload Script (preload.cts): We use contextBridge.exposeInMainWorld to expose a specific object called window.api to the frontend.
  2. Whitelisted Functions: We do not expose the entire ipcRenderer. Only specific, carefully audited functions are exposed. For example:
    • window.api.getClipboard()
    • window.api.takeScreenshot()
  3. Validation: When the Main Process receives a request via ipcMain.handle, it validates the payload before executing the OS-level command.

By enforcing this strict bridge, KoBar ensures that the frontend can only perform actions that the backend explicitly allows.


Thank you for exploring the KoBar Wiki! If you have any further questions or want to contribute, feel free to open an issue or pull request on our GitHub Repository.

Clone this wiki locally