Skip to content

Security and privacy

Jarvis is local-first, but it still coordinates LLM providers, runtime CLIs, logs, and optional remote access channels. Treat docs, issues, and screenshots as public artifacts unless you know otherwise.

  • SQLite application data by default
  • local logs under data/logs/
  • runtime CLI configuration owned by Claude Code, Codex, or OpenCode
  • optional model pool metadata and local provider settings
  • chat prompts and responses sent to the configured model provider
  • coding-agent prompts sent through the selected runtime CLI
  • remote-control messages when a remote channel is enabled
  • diagnostics that a user chooses to paste into a public issue

Do not paste these into public issues or docs:

  • API keys, provider tokens, cookies, or session credentials
  • private prompts, transcripts, or terminal output containing proprietary code
  • real filesystem paths that identify a user or private workspace
  • database files or raw logs
  • security vulnerabilities with exploitable detail

For public feedback, include:

  • product version
  • platform and install channel
  • redacted error message
  • shortest reproduction steps
  • screenshots with private content removed

Use the public feedback repository only for non-sensitive issues. If a report contains credentials, private logs, remote access details, or vulnerability details, do not post it publicly. Use the project’s responsible disclosure path or contact channel instead.