LeanCTX is designed with security as a first-class concern. Everything runs locally by default, there is zero telemetry, and the entire codebase is open source and auditable.
Data Privacy
- Local-first: All processing happens on your machine. No data leaves your network unless you explicitly configure a Team Server.
- Zero telemetry: LeanCTX does not collect, send, or store any usage data, analytics, or crash reports.
- No cloud dependency: The binary runs entirely offline. Cloud sync is opt-in and self-hosted.
- Open source: MIT + Apache-2.0 dual license. Full source code available for audit at any time.
PathJail Sandbox
Every file operation is sandboxed by PathJail, which prevents AI agents from accessing files outside the project directory:
// PathJail enforces these rules:
✓ src/lib/auth.ts → inside project root
✓ ../shared-lib/utils.ts → resolved, still in workspace
✗ /etc/passwd → BLOCKED: outside project root
✗ ../../secrets/.env → BLOCKED: path traversal
✗ ~/.ssh/id_rsa → BLOCKED: outside project rootPathJail is always active and cannot be disabled. It resolves symlinks before checking, preventing bypass via symbolic links.
Token Scopes & ACL
When using the Team Server, every API token has explicit scopes that limit what it can do:
| Scope | Permissions | Use Case |
|---|---|---|
read | Read sessions, knowledge, events | Read-only agents, monitoring |
write | Mutate sessions, store knowledge, execute tools | Active development agents |
admin | Manage tokens, workspaces, server config | Team leads, CI/CD |
events | Subscribe to SSE event stream | Dashboards, automation |
Create scoped tokens with the CLI:
$ lean-ctx team token create --scope read --name "dashboard"
$ lean-ctx team token create --scope read,write --name "developer"
$ lean-ctx team token create --scope admin --name "ops"Audit Trail
The Team Server logs every tool execution, session mutation, and knowledge operation with full attribution:
[2025-01-15 14:32:01] agent=cursor token=alice tool=ctx_read path=src/auth.ts tokens=180
[2025-01-15 14:32:05] agent=claude token=bob tool=ctx_knowledge action=remember fact="JWT RS256"
[2025-01-15 14:32:12] agent=cursor token=alice tool=ctx_session action=mutate channel=feat/auth rev=15Audit logs include: timestamp, agent identity, token name, tool called, arguments (redacted), result status, and token cost.
Redaction Policies
LeanCTX automatically redacts sensitive patterns from tool outputs before they reach the AI agent:
- Environment variables:
$SECRET_KEY,$API_TOKEN, etc. - Connection strings: Database URLs, Redis URLs with credentials
- Private keys: SSH keys, PEM certificates, JWT secrets
- Custom patterns: Define your own regex patterns in
.lean-ctx/config.toml
[redaction]
enabled = true
level = "standard" # "off", "standard", "strict"
[[redaction.patterns]]
name = "internal-api-keys"
regex = "sk_live_[a-zA-Z0-9]{24,}"
replacement = "[REDACTED_API_KEY]"Secret Leak Prevention
The verification pipeline scans all tool outputs for potential secret leaks before delivering them to the AI agent:
- AWS access keys and secret keys
- GitHub/GitLab personal access tokens
- Stripe, Twilio, SendGrid API keys
- Generic high-entropy strings matching key patterns
- Private keys (RSA, ECDSA, Ed25519)
When a secret is detected, the verification step replaces it with [REDACTED] and logs a warning in the audit trail. This protection is enabled by default and works with all integration modes (CLI, Hybrid, MCP).
Open Source Audit
LeanCTX is fully open source. You can audit the security implementation yourself: