06 / DEPLOYMENT & SECURITY

Security & Deployment Modes

Configure deployment options for the Omera 3.6 engine. Manage sandboxed file parameters, credential file storage, and network access.


Deployment Modes

Omera operates under three distinct deployment models to fit different enterprise privacy policies and development workflows:

1. Local Mode (Offline-first / BYOK)

  • Description: All code stays local to your environment. Requests are sent directly to the local or cloud AI models you supply keys for, bypassing Omera's backend.
  • Configuration: Add keys inside .omera/ai_providers.yaml. Local models (e.g. Ollama) can run fully offline.

2. BYOK Mode (Bring Your Own Key)

  • Description: Run workloads via Omera's routing engine using your corporate API credentials.
  • Configuration: Third-party model namespaces are redacted and mapped to Omera 3.6 labels in all public outputs and CLI logs.

3. Account Mode (Managed Service)

  • Description: Entitlements, authentication sessions, and quota allowances are completely managed by Omera's cloud infrastructure.
  • Configuration: Requires execution of omera login browser confirmation code loops to write credentials.

Sandbox Safeguards

To protect target files, compile stages, and system parameters, Omera implements strict sandbox constraints:

  • Workspace Encapsulation: AI commands can only read or edit files located inside the active project directory.
  • Symlink Validation: Omera verifies realpaths before opening files. Symbolic links pointing to files outside the workspace are blocked to prevent directory traversal attacks.
  • Tool Execution Restriction: Local CLI subprocesses can only run pre-approved system tools (such as PlatformIO compilation, pyOCD flashers, and Renode simulators).

Credential Storage Security

Local authorization files are protected to prevent token theft:

  • CLI Credentials: Saved in ~/.config/omera/credentials.json. File access permissions are restricted using 0600 flags (Read/Write only for the current owner).
  • Extension Credentials: Handled natively by VS Code's SecretStorage system, storing authorization keys securely inside the OS Keychain or Credential Manager.