Security is a complex topic, so Iâd be careful with black-and-white statements
Youâre right that folders inside ~/Library/Group Containers/ are protected by SIP, but many other locations arenât, notably ~/Library/Containers (the home folder for sandboxed apps) and your actual home folder. Non-sandboxed apps can freely read, copy, or delete files from these locations.
So the point still stands: if you run a sandboxed app and donât grant it excessive permissions, youâre mostly safe. If you run a non-sandboxed app, your data is at risk and not just your Bear notes. That same script you posted could be trivially rewritten to grab files from dozens of other apps that donât have SIP protection on their data.
Worth noting too: bearcli doesnât bypass anything macOS provides, it operates within the same permission model every other tool does. The convenience it adds for legitimate use is the same convenience an attacker would get, but an attacker with shell access on your machine already has much bigger data to exploit.
One more thing worth mentioning: if you enable âlock Bear at launchâ in the Bear preferences, bearcli is disabled by default, and encrypted notes canât be accessed by it under any circumstances.
This we can definitely consider, weâre always open to making things more secure (even if security is always a tradeoff).
@matteo to reconfirm, currently Bear isnât accessible to third party apps at all - without cli. Even with sudo..
ls -la ~/Library/Containers/net.shinyfrog.bear/Data
Operation not permitted
sudo ls -la ~/Library/Containers/net.shinyfrog.bear/Data
Operation not permitted
cat ~/Library/Group\ Containers/9K33E3U3T4.net.shinyfrog.bear/Application\ Data/database.sqlite
Operation not permitted
>bearcli doesnât bypass anything macOS provides
As you can see above, there is no way to get database.sqlite. With cli, however, all notes are accessible to any app. Could you clarify how it equates to âdoesnât bypassâ?
>That same script you posted could be trivially rewritten to grab files from dozens of other apps that donât have SIP protection on their data
I am aware of this. It requires careful planning about which files where to place. Itâs not a big deal and been known for years.
As long as AI is not build into bear itself I really donât carry and nobody else should either. Actually that is the best way: who wishes can connect its AI to bear and who dislikes AI isnât bothered at all. Perfect solution, isnât it?
âAfter following this space for a while, it seems like the industry has shifted. Early on, the goal was to bake AI directly into applications. Now the smarter approach â and what Bear appears to be doing â is to provide an interface that lets you bring your own AI. You get the flexibility to use whatever model you prefer, and if youâd rather not use AI at all, nothing changes. Itâs just there when you want it.â
Error: Error code: 400 - {âerrorâ: {âmessageâ: âInvalid schema for function âmcp_bear_edit_noteâ: In context=(âpropertiesâ, âeditsâ), array schema missing items.â, âtypeâ: âinvalid_request_errorâ, âparamâ: âtools[22].parametersâ,
âcodeâ: âinvalid_function_parametersâ}}
I think that was happening because the edits array parameter was missing its items definition in the JSON schema, which caused OpenAI (gpt-5.5) to reject it. For example, Claude Sonnet, which is more tolerant of schema quirks, so edit_note should work fine here. The fix for gpt-5.5 would need to be on the MCP server side (adding âitemsâ: {âŚ} to the edits array schema).
An official CLI is a fantastic addition to Bear and entirely in the spirit of simplicity and local-first that makes Bear so useful.
Not having to manually hook into the sqlite db makes things a lot simpler (and safter) going forward!
To the AI skeptics: I hear you 100%, but this changes nothing. The sqlitedb was always accessible to any AI you allowed to look at it. If an AI is accessing Bear itâs because you gave it permission to do so. Doing it through an official API (like bearcli) just makes it a lot safer.
While the wording here is a bit alarmist, the underlying concern is valid: Shipping `bearcli` as enabled by default removes the protection that Full Disk Access (FDA) normally provides against other processes accessing the Bear database.
A sensible compromise could be to gate `bearcli` behind a toggle in Bear settings and default it to OFF. That would maintain the default safety net that FDA provides, while still allowing the user to enable that setting, accepting the reduced protections it entails.
Also note that only non-sandboxed processes can execute `bearcli`. Sandboxed applications are prevented from executing anything outside their sandbox.
Terminals do not, for obvious reasons, opt in to the `com.apple.security.app-sandbox` entitlement, so the node script youâre running is not sandboxed. A sandboxed app would not be able to execute `bearcli` and access your notes that way.
Hi, new Bear user here Iâm a longtime (basic) user of Apple Notes and decided to look for a markdown friendly solution so I can pair it with some kind of âpersonal assistant AIâ to help me with my knowledge base. I chose Bear over Obsidian because of its superior (& cost effective) sync within the Apple ecosystem.
Iâm also concerned about privacy and security so plan to use this with a local LLM which Iâm running in Docker so I can choose exactly what it has visibility into, on my Mac.
So thank you for this connector capability and here is how Iâve got it working on my MacBook. Setup - LLM - Qwen3.6-35B-A3B on my MacBook using oMLX.
Config summary - Run bearcli mcp-server process in macOS and configure AnythingLLM to access it via a TCP bridge created using the socat command.
Step 1 : To allow AnythingLLM to access the running instance of bearcli mcp-server Iâm these commands to bridge the traffic between the mcp server (Bear app) running in macOS and AnythingLLM in docker. brew install socat socat TCP-LISTEN:9090,reuseaddr,fork EXEC:"/Applications/Bear.app/Contents/MacOS/bearcli mcp-server"
Step 2 : AnythingLLM MCP config is located at /docker/containers/anythingllm/app/server/storage/plugins/anythingllm_mcp_servers.json which one can get to by clicking on âFilesâ in the AnythingLLM container menu (above screenshot).
Add this config to the file and restart the container. { âmcpServersâ: { âbearâ: { âcommandâ: âncâ, âargsâ: [ âhost.docker.internalâ, â9090â] } } }
Step 3: Restart the container and visit the config page at - http://localhost:3001/settings/agents
One can now see the Bear MCP connector in the AnythingLLM config and limit access to functionality as needed.
Success! - Ask the AI to find things in your Bear notes as seen in the screenshot below.
Ultimately my plan is to configure jobs within AnythingLLM so agents can lookup information and update a dashboard of sorts in my Bear notes so that I just have to open the Bear app to get access to info I need for the day rather than visiting multiple websites
Iâm a longtime (basic) user of Apple Notes and decided to look for a markdown friendly solution so I can pair it with some kind of âpersonal assistant AIâ to help me with my knowledge base. I chose Bear over Obsidian because of its superior (& cost effective) sync within the Apple ecosystem.
and here is how Iâve got it working on my MacBook.
