Fit this system to its wearer
This device's profile
Describe yourself — voice, text, or neither
Say what you do and Sarto's configurator drafts a profile: "I'm a journalist protecting sources", "a lawyer with privileged files", "just a private person". Nothing applies until you review and confirm below — and the switches themselves work with no key and no network at all.
Review before it applies — every switch is yours
This is the derived profile. Nothing here is active yet: edit anything, then seal & apply. The suggestion engine only ever writes to this panel — it cannot apply settings behind your back.
foreground = pinned first on the launcher · available = installed, findable · hidden = not shown (re-enable any time; hiding is a preference, not a lock)
the profile as JSON (what actually gets sealed)
Applying seals the profile with AES-256-GCM under a key from PBKDF2-SHA-256 (310,000 it.) — the WebCrypto stand-in for the product's Argon2id vault KDF (postern-vault / postern-core). Only ciphertext is stored in this browser; on Postern OS the profile lives in the TEE-wrapped vault.
Profile on this device
1 · Admin of record — your wallet identity
The policy must be signed by whoever answers for it. Your admin identity is a wallet keypair (the Chiave pattern): the managed device pins your public key at enrollment, and every policy must verify against it.
Signing key: Ed25519 (WebCrypto) — a classical stand-in for the wallet's hybrid Falcon-1024 ‖ ML-DSA-65 post-quantum key in the device TEE. Sealed at rest with AES-256-GCM + PBKDF2, exactly like the Chiave wallet keyfile. In the product this is your Postern wallet — no separate admin account exists.
2 · Relationship to this device
3 · Limits — what this policy enforces
Limits only. There is nothing here that watches, logs, or reports — such a control does not exist in Sarto and will not be added.
Wins over a category block — carve-outs for good sites in blocked categories.
Wins over everything, including the allow list.
hidden apps are removed from the launcher by policy · everything else stays available
4 · Sign & install — the tamper-evident step
The policy is canonicalized and signed with your admin key. The managed device verifies it against your pinned enrollment key on every render: any edit by anyone else — including softening it — breaks the signature visibly.
No policy on this device
Nothing is managed here. If a policy were installed, this screen would show it in full — it can never be hidden from you.
What this policy can NOT do
- ●It cannot see your browsing, messages, files, or anything you type. No activity is collected at all.
- ●It cannot report anything to the admin or anyone else. This page's only possible network call is a Claude request you make in the configurator — the policy engine makes none.
- ●It cannot be hidden. If someone claims a device is "managed invisibly" by Postern, that is false — no covert mode exists, by refusal, not by omission.
- ●It cannot be silently changed. The policy is signed by the admin's pinned key; any tampering shows as a big red signature failure on this panel.
Check a site against this policy
See for yourself what would be blocked right now — the same check the enforcement layer runs. It happens entirely on this page; the lookup is not sent anywhere.
Category lookup here uses a small built-in demo list; on Postern OS an on-device category list does this (still no network, still no logging).