Security, privacy, and auditability by design
MCP treats local-first execution as a non-negotiable. Approvals, budgets, and audit trails ensure you control every action.
Local-first by default
Models, tools, and data stay on your device unless you explicitly enable cloud connectors.
Approvals required
High-risk writer tools, outbound requests, and resource escalations pause for consent.
Everything is auditable
Every tool call, prompt, and output is logged with timestamps and hashes (signing in roadmap).
No exfiltration
Outbound communication is disabled by default. Domain and path allowlists govern all access.
Trust boundaries
- Policy modes (constrained/autonomous)
- Tool risk classes and allowlists
- Autonomy budgets and rate limits
- Sandboxed containers (roadmap)
Auditability
- Episodic memory with immutable logs
- Tool call transcripts and artifacts
- Planned signed evidence exports
- Webhook notifications for approvals
Compliance posture
- Data stays on-device by default
- Pluggable evidence packs for SOC2/ISO
- Container sandboxing milestones
- Role-based access (planned)
Data flow overview
Local storage handles vector memory, knowledge graph, and episodic logs. Outbound requests are disabled until you approve a connector.
Security FAQs
Do you send any data to the cloud by default?
No. llm-local, vector search, and all default tools operate offline. Cloud providers require explicit configuration and API keys.
How do approvals work?
Approvals are enforced by the orchestrator. Plans pause when they hit gated tools until an approver confirms via CLI or GUI.
Can I export audit logs?
Yes. Logs are stored locally and can be exported in JSONL format. Signed exports are in active development.
What is your roadmap for sandboxing?
We are adding container sandboxes for tool execution with optional kernel-level policies for high-assurance environments.