Security Feature — Safe Mode

While Vercel Got Breached,
YourIQ.AI™ Ran Fine

Because we're offline by design. Safe Mode shows exactly what each agent can do — and refuses "allow all" patterns. Always.

What happened to them

The Vercel / Cloud AI Pattern

One employee. One AI assistant. One "allow all" permission dialog. Cloud AI platforms routinely request blanket file access, blanket network access, and blanket API permissions — all bundled into a single checkbox. The employee clicked it.

"The AI said it needed full access to work properly. So I clicked Allow." — Every breach, every time.
How YourIQ.AI works

Per-Action. Per-Agent. Per-Run.

YourIQ.AI runs offline on your machine. Every agent declares its exact permissions before running. Safe Mode intercepts any request for blanket access and forces a line-by-line review. Network calls are blocked at the OS firewall level. No phone home. No "allow all."

Offline by default. Transparent by design. Audited every run.
Safe Mode: OFF
System running without permission enforcement
Toggle Safe Mode ON above to see the permission interception demo.
   
YourIQ.AI — Safe Mode Permission Intercept
Incoming Agent Request
🤖
FileSync Agent v2.1 BLANKET REQUEST DETECTED
Requesting permissions before execution
🔒
Safe Mode has intercepted this agent.
FileSync Agent requested "access all files" — a blanket permission. Safe Mode blocked it and is showing you the exact permissions it wants. You must approve or deny each one.
Requested Permissions
  • BLOCKED
    Read all files — C:\Users\* (recursive) Blanket request denied. Specify an exact path to request read access.
  • PENDING
    Write to C:\Users\bret\YourIQAI\OUTPUT\sync_report.txt Single file write. Approve or deny below.
  • BLOCKED
    Network — POST to external API (agent.filesync.io) Offline Enforcement active. All outbound network calls blocked in Safe Mode.
  • PENDING
    Database read — ghwerkerhy (SELECT on file_index table) Scoped read. Approve or deny below.
✓  2 scoped permissions granted. Blanket file read and network call remain blocked. FileSync Agent will write sync_report.txt and read the file_index table only. All actions logged to encrypted audit file.
✕  All permissions denied. Agent halted. No files were accessed. No data was written. Denial recorded in audit log.
[2026-04-30 14:22:01] AGENT_START FileSync Agent v2.1
[2026-04-30 14:22:01] PERM_REQUEST read:C:\Users\* (blanket) → AUTO-BLOCKED
[2026-04-30 14:22:01] PERM_REQUEST network:POST agent.filesync.io → AUTO-BLOCKED (Offline Mode)
6 Layers of Protection

What Safe Mode Does

Built into every YourIQ.AI plan. No upsell. No setting to "turn it on." Safe Mode is the default.

01 — Permission Visibility
👁

Every Permission, Before It Runs

Every agent lists its exact permission set before a single line executes: read files, write files, network access, database access. No hidden permissions. No surprises after the fact.

Active by default
02 — Deny "Allow All"
🚫

Blanket Access Refused

If an agent requests blanket access to any resource class — all files, all network, all database tables — Safe Mode automatically blocks the request and shows you exactly what was asked for. No exceptions.

Auto-blocks blanket requests
03 — Per-Action Confirmation
📋

You Approve Destructive Actions

Every destructive action — delete, overwrite, send email, POST to API — surfaces a confirmation card. You see the file path, the action, and the agent name. Approve or deny. No batch "do it all."

Confirm before execution
04 — PII Gate (SPEC_03)
👤

SSNs, Cards, Passwords Flagged

SPEC_03 field-level PII detection scans every output before it leaves the agent. Social Security numbers, credit card numbers, and passwords are flagged and shown to you before being written or sent anywhere.

Review before output
05 — Agent Audit Log
📄

Every Run, Encrypted & Logged

Every agent run writes a tamper-evident, DPAPI-encrypted log entry: timestamp, agent name, files accessed, actions taken, data written. You can review the full audit trail any time — locally, offline.

Local encrypted log
06 — Offline Enforcement
🔌

Firewall-Level Network Block

In Safe Mode, all outbound network calls are blocked at the Windows Firewall rule level — not just in software. An agent cannot phone home, exfiltrate data, or reach an external API. The OS enforces it.

OS-level enforcement

Safe Mode Included in Every Plan

You don't unlock Safe Mode at a higher tier. It runs on every machine, every plan, every day — because security shouldn't be a feature you pay extra for.

$20 / month — All features. All agents. Safe Mode on.
Get Started — $20/month