Security white paper

Sovereign Privacy Architecture

PokoPod is a local-first desktop vault and browser companion for masked identities, agreement capture, and user-controlled data access. This paper summarizes the design posture and the hardening work that matters.

Version 1.0Public website summary
Build 2.0.4Current referenced desktop build
2026Security policy reviewed April 24

Executive summary

Local control before platform convenience.

Most consumer apps centralize identity, behavior, and transaction history in service-owned databases. PokoPod inverts that model. The user maintains a Local Pod on their device, and the application treats the pod as the primary authority for profile data, masked identities, captured agreements, safety summaries, and site-specific rules.

Product scope

Local Vault

Stores profile details, masks, notes, files, site rules, agreement summaries, activity events, and vault state.

Browser Extension

Detects legal links and sign-up or purchase moments, requests masked identities, and sends relevant context to the local bridge.

Local Bridge

Connects the desktop app and extension over the local machine, keeping the Local Pod as the source of truth.

Core security principles

  1. Local-first ownership: the user’s device is the default home for sensitive vault data.
  2. Zero-knowledge intent: PokoPod is designed so Poko Labs cannot browse or read vault contents.
  3. Data minimization: bridge and relay flows should use the least metadata needed to complete the task.
  4. Permissioned access: provider queries should require explicit user authorization.
  5. Readable accountability: alerts, summaries, grades, and receipts should be explainable to non-technical users.
  6. Recoverability without custody: users need recovery workflows, but Poko Labs should not hold a master key.

Current protection model

Vault dataIdentity records are stored in a local encrypted SQLite/SQLCipher vault.
Key handlingThe SQLCipher key is generated from OS randomness and wrapped with Windows CNG.
RecoveryRecovery material uses Argon2-derived encryption, AES-256-GCM-SIV, salts, nonces, and a Windows Vault Guard wrapping layer.
BridgeThe local relay binds to 127.0.0.1 by default and can require a local auth header for sensitive routes.

Threat model themes

PokoPod focuses on reducing exposure from centralized data collection, hidden contractual terms, broad service-provider access, and casual leakage of private identity details. Local malware, compromised device accounts, weak operating-system security, and recovery-material mishandling remain important risks outside any app’s complete control.

Known hardening roadmap

  • Enable a strict Tauri Content Security Policy for release builds.
  • Reduce filesystem allowlists to the smallest required scope.
  • Disable internal admin-auth bypasses before production use.
  • Require stronger local bridge auth for state-changing routes.
  • Narrow extension content-script matches where possible.
  • Add Rust advisory scanning and a release security checklist.

Customer guidance

Install PokoPod only from trusted distribution channels, keep Windows, WebView2, browsers, and PokoPod updated, protect access to the local Windows account, and never share recovery phrases, private keys, master passwords, or local pod data.