Security and privacy
Jarvis is local-first, but it still coordinates LLM providers, runtime CLIs, logs, and optional remote access channels. Treat docs, issues, and screenshots as public artifacts unless you know otherwise.
What stays local
Section titled “What stays local”- SQLite application data by default
- local logs under
data/logs/ - runtime CLI configuration owned by Claude Code, Codex, or OpenCode
- optional model pool metadata and local provider settings
What may leave the machine
Section titled “What may leave the machine”- chat prompts and responses sent to the configured model provider
- coding-agent prompts sent through the selected runtime CLI
- remote-control messages when a remote channel is enabled
- diagnostics that a user chooses to paste into a public issue
Public reporting rules
Section titled “Public reporting rules”Do not paste these into public issues or docs:
- API keys, provider tokens, cookies, or session credentials
- private prompts, transcripts, or terminal output containing proprietary code
- real filesystem paths that identify a user or private workspace
- database files or raw logs
- security vulnerabilities with exploitable detail
For public feedback, include:
- product version
- platform and install channel
- redacted error message
- shortest reproduction steps
- screenshots with private content removed
Security reporting
Section titled “Security reporting”Use the public feedback repository only for non-sensitive issues. If a report contains credentials, private logs, remote access details, or vulnerability details, do not post it publicly. Use the project’s responsible disclosure path or contact channel instead.