gulaq
Permissions Explained
gulaq requests the minimum permissions needed to save workspaces, capture AI chats, and connect to the local vault. Every permission is explained below.
Effective: June 5, 2026
gulaq is a Manifest V3 Chrome extension. All permissions listed here are taken directly from the extension’s manifest.json. No permission is requested speculatively — each is required for a specific feature described below.
Extension Permissions
| Permission | Why gulaq needs it | What it does NOT allow |
|---|---|---|
sidePanel | Enables the gulaq user interface to appear as a Chrome side panel — a persistent panel alongside your browser content. This is the primary UI surface for the extension. | Does not grant access to page content, tabs, or any data outside the side panel UI itself. |
tabs | Needed to read the current URL, title, pinned state, active state, and tab group membership of open browser tabs so that workspaces can be saved and restored. Also used to open restored tabs. | Does not allow access to tab content, cookies, passwords, form data, browsing history beyond currently open tabs, or data from closed tabs. |
tabGroups | Needed to read and restore Chrome tab groups, including group title, color, and collapse state. Without this permission, saved workspaces would lose tab group information on restore. | Does not grant access to tab content, cookies, or any data inside the grouped tabs. |
windows | Needed to save and restore browser windows, including window geometry (position, size, maximized state) and to manage which tabs belong to which window when saving multi-window workspaces. | Does not grant access to window content, page data, or any information beyond window-level metadata (size, position, state). |
storage | Needed to store extension settings, the pending sync queue, user preferences, and a write-through cache of recently saved workspace metadata. Uses chrome.storage.local and chrome.storage.sync. | Data stored here is isolated to the gulaq extension and is not accessible by other extensions or websites. Does not access storage from other extensions or websites. |
alarms | Used to schedule periodic background tasks such as checking for pending sync operations, retrying failed native messaging connections, or refreshing feature flags. Chrome alarms work even when the side panel is closed. | Does not access any user data. Alarms only trigger internal extension logic, not data uploads. |
clipboardWrite | Allows gulaq to copy saved workspace URLs, chat exports, or transfer prompts to your clipboard when you click a “Copy” button. This is a user-initiated action only. | Does not read clipboard content. Does not monitor clipboard activity. Clipboard writes only happen when you explicitly click Copy. |
nativeMessaging | Enables the Chrome extension to communicate with the local gulaq Desktop Vault application over Chrome’s native messaging protocol. This is a local, on-device connection used to save data (workspaces, AI chats) to the local SQLite vault on your SSD. | Native messaging is an on-device connection only — it does not involve any network request or remote server. It cannot access data from websites or other applications on your device beyond what the extension explicitly sends. |
scripting | Required to programmatically inject or execute scripts on specific pages for advanced workspace operations (e.g. checking tab state or triggering captures in supported contexts). Used in combination with host permissions, it only operates on the explicitly listed AI platform domains. | Cannot be used to inject scripts on arbitrary websites — only operates on pages matching the declared host permissions. Does not read or write to sites outside that list. |
identity | Enables Google OAuth sign-in via Supabase Auth using Chrome’s identity API. This allows you to sign in to your gulaq account with your Google account. gulaq requests only basic OpenID Connect scopes (email, profile) — not access to Gmail, Drive, Calendar, or any other Google service. | Does not grant access to Gmail, Google Drive, Google Calendar, or any other Google service. Does not access your Google account data beyond name, email, and account ID for sign-in. |
Host Permissions
Host permissions allow gulaq’s content scripts to run on specific websites. gulaq requests host permissions only for the AI platforms it supports and for Supabase (for authentication).
| Host | Purpose | What is accessed |
|---|---|---|
chatgpt.com/* | ChatGPT conversation capture | Visible DOM content of the conversation (messages, prompts, responses) when capture is triggered by the user. Does not access ChatGPT account data, cookies, or auth tokens. |
claude.ai/* | Claude conversation capture | Same as above — visible conversation DOM only when capture is triggered. |
gemini.google.com/* | Google Gemini conversation capture | Same as above. |
perplexity.ai/* | Perplexity conversation capture | Same as above. |
copilot.microsoft.com/* | Microsoft Copilot conversation capture | Same as above. |
kjbwoyawzfnxlxzgvpvm.supabase.co/* | Supabase authentication and cloud metadata | API calls for sign-in, session refresh, account status checks, device registration, feature flags, and privacy-safe analytics. No private vault content is sent to this host. |
Content scripts are scoped to only the six AI platform domains. They run at document_idle and are triggered by user action, not automatically on every page load.
Why Native Messaging?
Chrome extensions have a storage limit of approximately 10 MB in chrome.storage.local. A real-world vault of AI conversations and workspaces quickly exceeds this. Native messaging is the official Chrome API for connecting an extension to a locally installed application so that larger, persistent data can be stored on the user’s SSD via SQLite.
The native messaging connection is strictly local. Data sent via native messaging goes to the gulaq desktop app on your own machine — it does not traverse any network and cannot reach any remote server.
No Broad Host Permissions
gulaq does not request <all_urls> or http://*/* or https://*/*. Host permissions are explicitly scoped to the six AI platforms that gulaq supports plus the Supabase backend domain.
gulaq also does not request the cookies, history, bookmarks, or webRequest permissions. These are not needed and are not included in the manifest.
Questions About Permissions
Contact: backtothegoldenage@gmail.com
Also see: gulaq Privacy Policy · CWS Disclosures