Contextpipe Security Model
Pre-launch · Founder-authored
Contextpipe is a macOS menu bar daemon that auto-feeds IDE / terminal / browser context to AI coding tools (Cursor, Claude Code, Codex CLI, Windsurf, Zed) via the Model Context Protocol (MCP). This document is the single public source of truth for our security and privacy model.
If anything here turns out to be inaccurate, please email security@contextpipe.dev — public issue tracker opens with the GitHub repo at launch. We’ll fix the doc within 48 hours and credit you in the changelog.
TL;DR
| Concern | Answer |
|---|---|
| Do you screen-record me? | No. We don’t request the Screen Recording permission. No ScreenCaptureKit, no orange dot, no OCR. |
| Do you upload my context to your servers? | In Free mode: no. We literally don’t have a server to receive context. In Pro with sync enabled (opt-in, default off): yes, but only as end-to-end encrypted blobs we cannot decrypt. |
| Where do my BYOK LLM calls go? | Directly from your IDE to your chosen provider (OpenAI / Anthropic / Ollama / Mistral / etc.). We never see your prompts or responses. |
| Can a website on my LAN talk to your local server? | No. The HTTP MCP server (port 4848) is off by default, bound to 127.0.0.1 only, requires per-client tokens, and has a strict Origin allowlist. See §3. |
| What if I uninstall? | One-click ldc nuke clears local data. If Pro sync was on, your cloud E2EE blobs are deleted within 24 hours. |
1. Three data-egress paths (the only three)
There are three and only three ways Contextpipe can send data off your Mac. v1.3 SSOT locks this. Anything outside these three paths is a bug — please report it.
Path 1 · BYOK LLM calls (your IDE → your LLM provider)
When you ask Cursor or Claude Code a question, Cursor/Claude makes the API call to OpenAI / Anthropic / Ollama / etc., using your API key, from your machine. Contextpipe never proxies, intercepts, or logs these calls. We don’t have your API key — it lives in your macOS Keychain and only Cursor/Claude reads it.
What we provide: the context (Git diff, terminal scrollback, browser URL) that Cursor/Claude then includes in its own prompt to its own provider.
Path 2 · Free mode: daemon never uploads context
In Free mode (and in Pro mode with sync turned off), the Contextpipe daemon does not have an outbound connection to any Contextpipe-controlled server for context data. We don’t have a server to receive context. The only outbound traffic planned from the daemon process is:
- Sparkle auto-update check — Coming Soon (signed HTTPS to
updates.contextpipe.dev, payload = current version string only) - Anonymous opt-in crash reports via Sentry — Coming Soon (default: off; opt-in)
Neither of these will carry any context, file paths, terminal output, or browser URLs. Current pre-launch builds have zero outbound network calls from the daemon.
Path 3 · Pro E2EE sync (opt-in, default off, end-to-end encrypted)
Pro and Lifetime users can enable encrypted cross-device sync to share context history between their Macs (e.g., work laptop + home iMac).
Note on Lifetime sync boundary: Lifetime ($99) users get encrypted sync included for the first 12 months from activation. After 12 months, sync is optional at $3/month (E2EE unchanged, rate locked for the lifetime of your license) — or you can turn sync off and keep local Pro features working forever, free. Subscription ($9/mo) users get sync for as long as their Pilot subscription is active.
When you turn sync on:
- Onboarding generates a 256-bit master key on your device.
- The master key is stored in your macOS Keychain and never leaves your devices.
- Each context event is encrypted client-side with ChaCha20-Poly1305 (libsodium) using a per-event key derived from the master key.
- The encrypted blob is uploaded to our sync server (Cloudflare R2 + Workers).
- On your other Mac, the daemon downloads the blob and decrypts it locally using the same master key (also synced via the Apple Keychain iCloud feature, end-to-end encrypted by Apple, not by us).
Our sync server cannot decrypt your context — we only see opaque blobs and metadata (timestamp, blob size, device ID). We could be subpoenaed and forced to hand over blobs, but they would be useless without your Keychain key, which we don’t have.
Sync is always opt-in, default off. Onboarding shows a clear choice between Enable encrypted sync and Keep everything local. We never enable sync silently.
2. macOS permissions we request (and don’t request)
| Permission | Status | Why |
|---|---|---|
| Accessibility (AX) | ✅ Required | Read active window text from IDE / terminal / browser. We don’t read passwords or banking apps (per-app blocklist) |
| Apple Events Automation (Safari / Chrome) | 🟡 Optional | Read active browser tab URL. You can skip; we’ll just not read browser context |
| Screen Recording | ❌ Never requested | We don’t use ScreenCaptureKit or OCR. The orange dot will not appear |
| Full Disk Access | ❌ Never requested | We only watch your active Git workspace via FSEvents, scoped to one directory |
| Microphone | ❌ Never requested | We’re not a voice tool |
| Camera | ❌ Never requested | Same |
| Input Monitoring | ❌ Never requested | We don’t log keystrokes |
If you see Contextpipe asking for any permission not in the ✅/🟡 rows above, that is a bug. Please report it.
3. HTTP MCP server security (8-point spec)
For users running 5+ IDE sessions simultaneously, Contextpipe offers an opt-in HTTP MCP server (ldc mcp --http). This is a local network surface, so we lock it down with 8 hard constraints enforced in code:
| # | Constraint | Implementation |
|---|---|---|
| 1 | Bind to 127.0.0.1 only | Hummingbird Application(configuration: .init(address: .hostname("127.0.0.1", port: 4848))). Hardcoded — no CLI flag exposes a way to change the bind address |
| 2 | Default off | ldc mcp --http must be explicitly opted into. Config file ~/Library/Application Support/LDC/config.toml defaults to [mcp.http] enabled = false |
| 3 | Per-client tokens | Enabling HTTP auto-generates a 256-bit token per MCP client; tokens stored in ~/Library/Application Support/LDC/http-tokens.json with 0600 perms; clients send Authorization: Bearer <token>. Tokens revocable per client |
| 4 | Origin allowlist | Only vscode-webview://, null, http://127.0.0.1 are allowed Origins. Others return 403 |
| 5 | Strict CORS | Preflight OPTIONS returns Access-Control-Allow-Origin only for allowlist Origins; never * |
| 6 | Rate limits | 100 req / sec / token, burst 500. Prevents abuse by other apps on the same machine |
| 7 | Audit log | Every request logged to ~/Library/Application Support/LDC/audit.log: timestamp, redacted token prefix, tool name, response size. PII never written. Tail with ldc audit tail -f |
| 8 | Double-confirm to disable | The menu bar prefs UI requires two clicks (Disable HTTP + confirm modal) to turn off HTTP and revoke all tokens. Prevents accidental misconfiguration |
If you find a way around any of these constraints, please report it as a security issue — we’ll fix it within 48 hours and credit you (and pay a $500 bounty out of pocket until we have a formal bug bounty program at $5K MRR).
4. AGPL vs proprietary boundaries
The Contextpipe daemon source code is licensed under AGPL-3.0. The hosted Pro sync server is a separate proprietary service speaking the public, MIT-licensed protocol.
Explicit position on AGPL §13 (network-server source-disclosure):
AGPL §13 requires that anyone who runs a modified version of the daemon as a network service must offer the modified source. The hosted Pro sync server is not a modified daemon — it is a separate proprietary service that:
- Does not reuse, embed, or link AGPL daemon code.
- Speaks only the public sync protocol / schema, which will be published under MIT at
schema/sync-protocol.md(repo coming soon).- Receives only end-to-end encrypted blobs it cannot decrypt.
Therefore AGPL §13 does not require us to open-source the sync server.
If you disagree with this reading, please email legal@contextpipe.dev. We’re not lawyers; this is a pre-launch best-effort interpretation. The launch version will reflect counsel review.
5. Apple AX API platform risk + 3 fallback paths
Contextpipe’s primary path is Accessibility (AX) API. Microsoft’s Recall trust collapse and Apple’s track record (Microphone, Screen Recording) suggest Apple may tighten AX permissions in macOS 27/28 (12–18 month window).
We’ve designed 3 fallback paths so that even if AX is restricted, core dev-context capability survives at ≥70% coverage:
| Path | Coverage | Implementation status |
|---|---|---|
| A · Native IDE extensions (Cursor / VS Code / Zed / JetBrains) | Active editor / file / cursor / git workspace / selection / diagnostics | Coming Soon (in dogfooding) |
| B · Terminal shell integration (zsh / bash hooks) | Last command / exit code / working dir / recent output | Coming Soon |
| C · Browser extension + MCP bridge (Chrome / Safari / Arc / Firefox) | Active tab URL / title / selection / page metadata | Coming Soon |
This is a real engineering plan, not a marketing claim — the VS Code extension is currently in dogfooding ahead of launch.
6. What we’d do if we got a subpoena
We get asked: “What if a government / employer / attacker compels you to hand over my data?”
Free mode + BYOK: We have nothing to give. We don’t have your context, your prompts, your responses, or your API keys.
Pro mode with sync: We can be compelled to hand over:
- The encrypted blobs (useless without your Keychain key, which we don’t have)
- Metadata: account email, payment info, timestamps, blob sizes, device IDs
- IP logs (Cloudflare standard 30-day retention; we don’t add to that)
What we can’t be compelled to backdoor: The daemon is AGPL — any “secret” code addition would be detectable on the next release because the public source must match the shipping binary (reproducible build instructions coming soon).
7. Pre-launch external security review
Before launch, we’re seeking 1–2 independent security reviewers to publicly review this document and the daemon code. Goal: not to get a “Security Reviewed by ✅” badge for marketing — that would be Cargo Cult — but to lower the HN first-day trust cost by having external eyes confirm the claims here.
If you’re a macOS security researcher / dev tool security reviewer and willing to spend 4–8 hours on this for credit + a Lifetime founding seat ($59 founding tier — includes private Discord access, monthly 1-hour founder office hour, and name in the about page; limited to the first 100 founding members, available for 7 days after launch only): security@contextpipe.dev.
8. Reporting security issues
- Non-critical issues: email hi@contextpipe.dev (public GitHub issue tracker opens with the repo · coming soon)
- Critical / exploitable: security@contextpipe.dev (PGP key coming soon)
- Bounty: $500 out-of-pocket per confirmed issue until we have a formal program.
This document is the public source of truth for Contextpipe’s security and privacy model.