security_and_privacy

What we capture, where it goes, and how to verify both.

PromptConduit records events from your AI coding assistant into a local file before anything else happens. Sending data anywhere requires an API key you create on purpose, and local_only mode disables sending permanently. This page describes the mechanism precisely, because "trust us" is not a security posture.

The event file is the contract

Every hook event becomes one JSON line in ~/.promptconduit/events.jsonl. That file is the complete record of what PromptConduit knows — there is no second, hidden stream. Open it. Grep it. Diff it before and after a session. The same bytes written there are the only bytes that can ever be uploaded.

Two kinds of data in every event

Enrichments are computed locally at capture time and are names and numbers only: branch and repo names, commit hashes, token counts, dollar costs, cache-hit rates, tool call names and durations, interrupt counts, permission decisions. Enrichments never contain your prompt text, tool inputs, or code. (One deliberate exception: the name of an invoked SKILL.md file.)

The raw event is the native payload your assistant hands to its hook system, kept intact so nothing is lossy. Depending on the hook, it can include prompt text and tool inputs. It stays on your machine unless you configure sending — and team analytics are built from enrichments, not raw payloads.

Secrets are scrubbed at capture

Before an event is written to disk, well-known credential patterns are masked: Bearer tokens, OpenAI-style sk- keys, PromptConduit keys, AWS access key IDs, GitHub tokens, and any JSON field whose name looks like api_key, secret, token, or password. The scrub happens locally, before the file write — so the redacted form is also the only form that can sync.

Nothing sends by default

When a team syncs

Connecting a team account uploads envelopes to api.promptconduit.dev over TLS, authenticated by your key. Event metadata lands in a queryable database; full payloads are stored in object storage, scoped to your account. Team dashboards — skills, patterns, costs, coaching trends — are computed from enrichment metadata. Deletion is supported through the app and the API, and the CLI is open source, so the client half of every claim on this page is inspectable.

Reporting

Found something? Email hello@promptconduit.dev and we'll respond quickly. Please don't file public issues for security reports.