Skip to content

Computer Use Boundary

This is the security-facing summary of the Computer Use safety stack. For the operational and per-action details, see Computer Use: Safety Boundaries.

The five layers

LayerWhat it does
1. macOS Accessibility permissionWithout it, the daemon cannot act on any app at all.
2. Per-app approval gate (UI)First modifying action on a new app surfaces a modal. Allow Once / Always / Deny.
3. Daemon hard blocklist (CUPolicy)Refuses certain bundles (password managers, sensitive utilities) regardless of UI approval.
4. Action shape constraintsSome actions (Calendar write, drag) require additional explicit parameters.
5. Event delivery modelDefault preserveFocus so the daemon does not steal your real cursor / keyboard.

The layers are intentionally redundant. Any one of them failing (e.g. a UI bug that auto-grants approvals, or an exploit that bypasses the gate) does not by itself result in a click landing on a sensitive app.

What the daemon protects

AssetProtection
Other apps' UIApproval gate, hard blocklist
Your real cursor / keyboardpreserveFocus event delivery
Sensitive system toolsHard blocklist
Calendar / Mail / system data writeAction shape constraints (allow_calendar_write=true, etc.)
Action historyPer-profile encrypted action log

What the daemon does not protect

  • A user-approved Always-allow on a permissive app. That's the user's call.
  • macOS Accessibility bugs.
  • A model that's been social-engineered via untrusted content (a screenshot, a tool result) into asking for an action you wouldn't have approved.

For the last item, the per-app gate is the user's chance to catch surprising actions. The action log gives an after-the-fact view.

The role of the action log

Every gated action — granted or denied — lands in the Computer Use Action Log:

  • Timestamp
  • Action type
  • Target bundle ID
  • Approval state
  • Outcome

The log is local, per-profile, encrypted in the same SQLite database as the rest of your data. It is not synced unless you've opted in to the relevant category.

Use the log to:

  • Spot patterns ("the agent has been clicking around in Mail a lot lately — was that all me?").
  • Audit specific incidents.
  • Export for compliance review.

Bypass surfaces (controlled)

A few mechanisms exist that look like they bypass the gate but are bounded:

MechanismBound
Read-only actions skip the gateThey cannot modify state — only read AX trees and capture screenshots
Already-approved (Always) apps skip the per-action promptLimited to the approved action category
dry_run flag on Calendar / Mail composePerforms validation only; no side effect; still logged
force flag on certain advanced actionsNot exposed in default skills; would require explicit code in a custom skill

Each is a calibrated trade-off between safety and friction. None grants blanket bypass.

What changes when you enable Strict Approval

Settings → Computer Use → Strict Approval changes Allow Always to Allow Once. Every modifying action re-prompts. The blocklist, action shape constraints, and event delivery model are unchanged. The action log records the per-action approvals.

Threat model

  • Approved apps drift over time — you allowed Always last month, but the agent's behaviour has since evolved. The action log lets you re-examine; revoke in Settings if needed.
  • Compromised model asking for action. Mitigated by the per-app gate (you see what's being attempted) and the hard blocklist (you can't approve into a password manager even if you wanted to via the UI).
  • Compromised local desktop process. With both the gate code and the daemon code subverted, this stack does not protect you. That is a much stronger threat than what's covered here.