Fit this system to its wearer

Settings

Held in this tab's memory and sent only to api.anthropic.com. It is never stored readable — seal it below to keep it across sessions. Without a key, the manual profile editor and the whole managed-device desk still work — fully offline.

Key at rest — sealed by default

Sarto never writes your key to disk readable. Unsealed, it lives only in this tab's memory and disappears when the tab closes. Sealing stores it as AES-256-GCM ciphertext under a key derived from your passphrase (PBKDF2-SHA-256, 310,000 it. — the same construction that already seals your profile and admin identity here, and Chiave's keyfile); you unlock once per session, and forgetting the passphrase just means re-entering the key. A key saved readable by an earlier Sarto is adopted into memory and removed from disk the moment you seal or edit it.

Billed to your own Anthropic account at your account's rates.

Erase everything

Wipes the API key, settings, the sealed profile, the admin identity, and any installed policy from this browser. There is no server copy to erase.

Privacy — who sees what

Sarto is a static page. There is no Postern server, no account, no telemetry, no analytics. The honest ledger:

Your words → Anthropic (only if you use the configurator agent)

When you describe your profession by voice or text, that text goes from your browser directly to api.anthropic.com under your key — no middleman. Skip the agent and use the switches: then nothing is ever transmitted.

Your voice → your browser's vendor (only while you hold to talk)

Voice input uses the browser's Web Speech API, which in most browsers sends audio to the browser vendor for transcription. Strictly push-to-talk: the mic is on only while you hold the button. Typing is the fully local path.

Your profile — ciphertext in this browser only

Sealed with AES-256-GCM under your passphrase (PBKDF2, 310k it.). localStorage holds only ciphertext + salt. Same shape as the Chiave/vault keyfile.

The managed policy — plaintext on purpose, signed for integrity

The policy is stored readable because the managed person must be able to read it; what protects it is the admin's signature (tamper-evidence), not secrecy. The admin's private key is sealed like the profile.

The managed person's activity → nowhere, ever

Sarto's policy engine collects nothing, logs nothing, transmits nothing. There is no code in this file that records browsing, messages, keystrokes, or app usage — verify it; it is one readable HTML file, and the only network destination anywhere in it is api.anthropic.com.

What we won't claim: if you use the configurator agent, your description of yourself necessarily reaches Anthropic under your own agreement with them. If that description is itself sensitive ("investigating X"), use the manual switches instead — they are equivalent and fully local.

Managed devices — the rules

Device management is legitimate only as transparent policy enforcement on a device the admin legitimately controls. Sarto builds these rules into the mechanism, not the fine print:

An admin of record, cryptographically

Whoever sets limits signs them with a wallet key and is named — label, role (parental / corporate) and key fingerprint — inside the policy itself. Anonymous management does not exist here.

Signed and pinned — tamper-evident both ways

The managed device pins the admin's public key at enrollment and verifies the policy signature on every render. The managed user cannot silently forge or soften the policy; the admin cannot deny having set it.

Transparent, always — no covert mode

A managed device permanently shows who manages it and every active limit, in plain language. There is no hidden state, no stealth install, no "employee monitoring dashboard". Sarto refuses covert capability: a control the subject can't see is surveillance, and surveillance is out of scope by design.

Enforcement, never exfiltration

Controls limit (site categories, app availability, time windows). They do not monitor: no browsing history, no content, no screenshots, no location, no reports to the admin. The policy engine has no transmit path at all.

Honest about its own strength

Client-side controls are advisory — a determined technical user can bypass a browser page. This is the reference for the policy model; real enforcement is Postern OS integration. We say so on the signing screen, in the managed view, and here.

Stand-ins, labeled:

In this demoIn the product
Ed25519 (or ECDSA P-256) via WebCrypto signs the policyHybrid Falcon-1024 ‖ ML-DSA-65 wallet key in the admin's device TEE (Chiave identity)
PBKDF2-SHA-256, 310,000 it. seals profile & admin keyArgon2id (memory-hard) — the postern-core vault KDF
Pinned admin key in localStorageEnrollment record in the OS policy store, attestation-gated (Postern Seal)
Advisory site check on this pageOS network-layer + launcher enforcement; removal without the admin key is factory-reset-visible

Passphrase