> For the complete documentation index, see [llms.txt](https://moni-ai.gitbook.io/moni/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://moni-ai.gitbook.io/moni/trust-and-security.md).
# Trust & Security
Do not trust. Verify.
Github DeepWiki
{% hint style="info" %}
**You can feed any AI model with GitHub docs to verify our security yourself. You can also chat with a codebase on a DeepWiki** :blush:
{% endhint %}
### Core Security Principles
{% columns %}
{% column %}
{% hint style="success" icon="unlock-keyhole" %}
#### **Open Source**
The code running in your browser is publicly available. You can review it, audit it, and verify how the extension works.
{% endhint %}
{% hint style="success" icon="chrome" %}
#### **Verified Distribution**
The extension is reviewed and distributed via the Chrome Web Store. Every permission is explicit and transparent.
{% endhint %}
{% endcolumn %}
{% column %}
{% hint style="success" icon="file-check" %}
#### **Self-Custodial**
Your keys remain yours. Private keys never leave your wallet and are never accessible by the extension or our servers.
{% endhint %}
{% hint style="success" icon="key" %}
#### **Zero Key Access**
We do not store private keys, seed phrases, or sensitive credentials. No clipboard access, no hidden data collection.
{% endhint %}
{% endcolumn %}
{% endcolumns %}
{% hint style="success" icon="shapes" %}
#### **Trusted Infrastructure**
All transaction signing is handled through audited providers such as Turnkey. Your keys remain fully under your control.
{% endhint %}
### Browser Permissions
| Permission | What This Allows | What This Does Not Allow |
| ---------------- | -------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
| `storage` | Lets the extension read and write to its own isolated storage space. | Does not give access to cookies, localStorage, or storage used by other extensions. |
| `sidePanel` | Allows us to show the side panel UI inside the browser. | Does not allow reading page content or interacting with other extensions’ panels. |
| `identity` | Lets the extension start OAuth flows when authentication is needed. | Does not provide access to the user’s Google account data or Google services. |
| `webNavigation` | Lets us listen to navigation events for specific tabs we work with. | Does not allow reading page content, modifying requests, or tracking full browsing history. |
| `system.display` | Allows querying display configuration to adjust UI behavior. | Does not allow screen capture or reading positions of other applications’ windows. |
| `tabs` | Lets the extension check tab state and send messages to a tab. | Does not grant permission to read page content without host permissions or inject scripts anywhere. |
## Client Architecture
We designed the extension so that almost all logic runs directly on the client side. This keeps data local to the user's browser and minimizes whatever needs to reach our servers. We follow Manifest V3 and rely only on vetted, well-maintained third-party libraries.
For every release, we publish the full build bundle and the exact package that goes to the Chrome Web Store. We also provide clear instructions so anyone can reproduce the build from the source tree and compare the results.
Each tagged release includes a checksum. Auditors can verify that the checksum of the published bundle matches the one listed in the release notes and confirm that the bundle's contents match the source code.
## Server-Side Features & Data Handling
On the server side, we keep the architecture simple, strict, and transparent:
* We use role-based access control so only authorized team members can perform staff or admin-level actions.
* We log all privileged operations for full auditability.
* We encrypt all backups and regularly test recovery procedures to ensure reliability.
{% hint style="danger" %}
## What We Never Do
* We never store private keys or seed phrases
* We do not access clipboard data or monitor user input beyond explicit actions
* We do not run background processes such as mining
* We do not collect or transmit full browsing history
{% endhint %}
Only minimal contextual data, such as the current active page, is used when required for specific features.
### Contacts and Feedback
If you have questions, suggestions, or want to report an issue, you can reach out via the Chrome Web Store support channel or directly through the Moni team. [Support & Feedback](/moni/support-and-feedback.md)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://moni-ai.gitbook.io/moni/trust-and-security.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.