Faqpage

Bernato FAQ

Akshay Sarode

If your question isn't here, email hello@bernato.dev or open a discussion on GitHub.

What is Bernato?

A zero-trust process orchestrator. A small Go daemon (bernatod) on each machine you own; one dashboard to spawn, watch, supervise, and kill long-running processes (Claude Code, Codex, training jobs, browser agents) across every box from one screen — including your phone.

How is this different from Claude Code Remote Control?

Remote Control attaches your phone to one Claude Code session at a time, while your terminal stays open. Bernato is multi-machine, multi-process, daemon-supervised, and can sandbox macOS spawns with Seatbelt — works after closing the terminal, works with non-Claude tools, fleet view across every machine. Linux supports opt-in bwrap when available; Windows has limited Job Object containment without filesystem/network isolation. Detailed comparison.

How is the daemon authenticated?

Firebase ID tokens verified offline against Google's JWKS, plus short-lived loopback-only dashboard tokens for tray-opened local pages. Legacy static machine secrets are cleared on load and no longer authenticate.

Does it work behind CGNAT?

Yes. Off-LAN reach is a single outbound wss:// connection from the daemon to the Bernato broker — no inbound ports, no third-party tunnel. Same CGNAT-friendly outbound model as Cloudflare Tunnel, without shipping a tunnel binary.

Does it work offline?

Pairing needs internet (Firebase Auth). After pairing, LAN-only operation works — the dashboard probes loopback first on every call.

Is data ever sent to the cloud?

Agent metadata (machine name, agent ID, command, runtime) is in your Firebase project's Firestore. PTY output is real-time over WebSocket, never persisted on the server side. The 30-day SQLite history is on the daemon's local disk only.

How much does it cost?

Free for 3 paired nodes forever (basic history, basic tunnel). paid checkout is hidden for this launch cycle while billing and support are verified. The daemon binary is and stays free.

What platforms are supported?

macOS is the primary supported daemon target today. Linux and Windows builds are preview/manual; Linux supports opt-in bwrap when available, and Windows has limited Job Object containment. The web dashboard remains the launch path; native mobile store distribution is out of scope.

Is the daemon open source?

Source-available. Bernato currently ships a local daemon activity log; tamper-evident verification is roadmap work.

What does the sandbox protect against?

On macOS, filesystem containment via Seatbelt. By default, an agent can read/write its workspace, use network, and spawn subprocesses. Broader filesystem reads require read:<path> or read_anywhere; app control requires accessibility; TCC-protected files require full_disk_access. Linux supports opt-in bwrap when available; Windows has limited Job Object containment without filesystem/network isolation.

Can it run alongside SSH / tmux / Tailscale?

Yes to all three. Bernato is process supervision, not a network layer or a shell replacement. Many users run all of them.

How do I revoke access?

Tray menu → Revoke all sessions. Calls a Firebase Cloud Function that runs admin.auth().revokeRefreshTokens(uid). Existing ID tokens expire within 1 hour; refresh tokens are immediately invalidated.

What about prompt injection in the agent?

Sandbox is a containment story for filesystem and network — it doesn't stop a prompt-injected agent from making bad commits within its workspace. Pair with the audit log (so you can see what happened) and capability minimization (so the agent has less to work with).