Architecture
- The editor runs on your machine. Code lives on your disk.
- When you chat, the prompt + relevant context is sent to our proxy over TLS, then forwarded to the upstream model provider.
- We do NOT store prompts, completions, or any code content on our servers.
- Tokens (API keys, JWTs) are stored in VS Code SecretStorage — encrypted via the OS keychain (Keychain on macOS, DPAPI on Windows, libsecret on Linux).
Transport
- TLS 1.3 only. HSTS preload submitted.
- Certificates rotated automatically (Let’s Encrypt + ACME).
- Public Key Pinning is opt-in via self-host config.
Auth
- Phone OTP login. Codes expire in 5 minutes; max 5 attempts then locked out.
- JWTs are signed HS256, 30-day expiry, scoped to a single device.
- Editor SSO uses a one-shot ticket exchange — the JWT never appears in a URL.
Data isolation
- Each user's API keys are SHA-256 hashed at rest. Plaintext is shown exactly once at creation.
- Per-user usage logs are scoped by JWT — no shared cursors or batch queries.
Vulnerability disclosure
Email [email protected]. PGP key on request. We respond within 48 hours and credit reporters in our changelog (opt-in).
Compliance
- SOC 2 Type II — in progress (Q3 2026).
- GDPR — DPA available on request for paid plans.
- HIPAA — not certified. Self-host if you need this.