Security

Last Updated: February 14, 2026

Security is the foundation of sovereignty. At LucaOS Inc., we treat security not as a feature, but as a core architectural constraint.

1. Reporting Vulnerabilities

If you believe you have found a security vulnerability in Luca OS, please report it to us through our secure disclosure program.

We permit potential researchers to perform security research on Luca OS, provided they act in good faith and avoid causing harm to other users.

2. Encryption Standards

We use modern, authenticated encryption for all sensitive data.

2.1. Data in Transit

All network traffic uses TLS 1.3 with Perfect Forward Secrecy. We pin certificates for critical domains to prevent MITM attacks.

2.2. Data at Rest

Locally stored vectors and databases are encrypted using XChaCha20-Poly1305. Keys are derived from your system's hardware root of trust (Secure Enclave on macOS, TPM 2.0 on Windows).

3. Secure Enclave Integration

Luca OS deeply integrates with modern hardware security modules.

  • Biometric Auth: We support TouchID and Windows Hello for privilege escalation within the OS.
  • Key Storage: API keys for third-party providers are never stored in plain text. They are wrapped by keys residing solely in the Secure Enclave.

4. Supply Chain Security

We verify the integrity of every byte of code we ship.

  • Signed Binaries: All Luca OS binaries are code-signed with extended validation certificates.
  • Reproducible Builds: We strive for deterministic builds for our core open-source components, allowing the community to verify that the released binary matches the source code.
  • SBOM: We publish a Software Bill of Materials (SBOM) with every release to ensure transparency of dependencies.