We don't hand-write the encryption claims below. They're generated straight from the real system that runs them, and re-checked every time we ship. If the words and the code ever disagree, the build fails and this page can't go out. So don't just trust it — read it, and check it yourself.
AGPL is the license that keeps network software honest: if anyone — including us — serves you this software over a network, you're entitled to the source that's running. For a tool that watches your spend and relays your screen between your devices, source access isn't a nicety. It's the audit mechanism.
The license is a feature
Run it, read it, fork it. And because it's AGPL, anyone serving you this software over a network owes you the source — including us.
Historical MIT snapshots stay MIT — the relicense changes the future, not the past.
We claim: The product is AGPL-3.0-only at HEAD. Run it, read it, fork it — and if you serve it over a network, your users get the source too.
We don't claim: We don't relicense the past. Every shipped MIT snapshot stays MIT.
We claim: The official Signal library is pinned and wired in for device-to-device lanes and at-rest sealing.
We don't claim: We don't claim it's live. It is wired in but off by default — per-domain flag, staged rollout, instant revert — behind a fail-closed readiness gate.
We claim: Phone ⇄ gateway traffic rides a hardened encrypted gateway: keys pinned to your devices, safety-code pairing, forward secrecy, downgrade attempts refused.
We don't claim: We don't say “the assistant can't read your messages.” The gateway decrypts to run the model — that is what running a model means.
We claim: These claims are wired to the crypto registry: the encryption claim lines are generated, and the build goes red the moment they drift from it.
We don't claim: We don't claim an external audit. The gates are ours; an independent audit will be linked here when it happens.
AGPL-3.0-only at HEAD Historical MIT snapshots stay MIT — the relicense changes the future, not the past. Terms
We pinned Signal's official open-source library — the exact code, not a reimplementation — for device-to-device lanes and at-rest sealing. Today it is wired in, not activated in production: a per-domain flag, default off, staged rollout, instant revert.
The iPhone and iPad app is libsignal-free by design. It reads the same sealed envelopes through Apple's CryptoKit — and that interop isn't a design promise: it's locked by committed cross-implementation test vectors that run in CI, sealed by each library and opened by the other. No Signal code ships in the App Store binary.
WHAT WE CLAIM
WHAT WE DON'T
Generated from the crypto registry · pinned at v0.94.4 · drift fails the build
Parts of our assistant stack live in open upstreams that must stay MIT-clean — code we share back to communities that license their work permissively. Signal's library is AGPL; pulling it into those lanes would close doors we want open. So every phone-to-gateway lane runs Horcrux, our own sealed-envelope layer — a hardened, forward-secret encrypted gateway.
A CI job stands at that boundary: every contribution headed upstream is scanned so the MIT lane stays MIT. Not an honor system — a gate.
The seal protects the path: your phone to our gateway, past every relay in between. At the gateway it is opened to run the model — we don't say “the assistant can't read your messages,” because that would be false.
Horcrux: “Honestly, Our Relay Can't Read User eXchanges.” We checked — it's even true.
Anyone can write a privacy page. Ours is compiled. The tier of every domain below is generated from the registry our apps run on. Every claim line above is keyed to a model in the crypto registry, its platform list comes straight from the policy matrix, and a fail-closed gate rejects the copy the moment the registry — or the rollout state — stops backing it. The wording is human; the facts behind it are machine-checked, and drift turns the build red.
// CI-gated · registry drift gate · build-verified
Assistant chats, CLI agent transcripts, mobile mission prompts/results, saved text snippets, rollback scope/diagnostics, approval rules, agent personas, subscription graph edges, and conversation recall metadata are sealed on-device before Firestore receives them.
Full conversation bodies + the encrypted search index + project memory. Sealed on-device; the server holds only ciphertext, aggregate cockpit facets, and opaque search/integrity hashes.
NOTE The keyword search index is deterministic — repeated and co-occurring search terms produce stable keyed digests, so the server can learn which terms recur and appear together across your logs (the search structure), and the integrity hashes can confirm a guessed body or chunk; every title, snippet, body, and path stays sealed and unreadable.
Your private semantic memory: repo docs, notes, and chat-derived memories your agents recall. Text is sealed on-device; hosted ANN recall is an explicit opt-in over cloaked vectors and opaque keyed hashes. Those structures still reveal structural signals such as vector geometry, recurrence/co-occurrence patterns, counts, and access timing. Use local-only recall for sensitive memories when available.
NOTE A connected repo stores only an opaque keyed match token plus a sealed repo name — the cleartext repo name is observed transiently server-side only to route an inbound GitHub push webhook, never stored.
Which devices are trusted to decrypt your data, and the wrapped vault keys that make end-to-end encryption possible. The crux of the whole E2EE model.
Computer-use (Agent Control) sessions and their tamper-evident escrow audit trail.
Files, screen, and video relayed between your Mac and phones (Floo media).
NOTE An attachment manifest records only an opaque content hash, mime type, byte size, an opaque per-peer device-id hash, direction, and timestamps — the human-readable file name is sealed on-device (sealedFilename) and never readable by the server.
Per-session token counts, cost estimates, and provider/model/device telemetry. Project names and budget labels are sealed on-device; the server groups spend only by opaque per-project hashes.
Connected AI provider accounts. Labels + status only — the actual credentials live in Google Cloud Secret Manager, never in your data tree.
Your paired Macs, phones, and relays and which can talk to your account.
NOTE Paired relay and hosted-gateway frame contents are only claimed as sealed after paired E2EE is enabled and the runtime-readiness gate is complete; relay routing metadata, public keys, coarse tool labels, thread ids, attachment ids, and delivery state remain visible. The per-agent subscription graph is cloaked behind opaque keyed doc ids.
Coding agents you've granted hosted-MCP access to, the scopes they hold, and their access audit trail.
Your subscription entitlements (Cloud Pro, Ultra) and their change history.
A unified, tamper-evident log of who/what accessed your data, when — across every device, agent, and grant.
