Skip to content
Security & privacy
Tier-1 local-first security

Your Claude conversations never leave your computer.

No cloud. No telemetry. No account. Recall runs entirely on your laptop. Even we cannot see your sessions.

  • 100% on-device
    Nothing uploads, ever
  • Zero telemetry
    No analytics or tracking
  • Auto-redact secrets
    Keys scrubbed at ingest and paste
  • Three-layer defense
    Host, Origin, CSP enforced

How we block every known attack path

Three independent gates. Any one failure returns 403. No request reaches your sessions otherwise.

MaliciouswebsiteHostallowlistOrigincheckCSP+ sanitizeYoursessionsEvery request must pass all three layers. Any failure = instant 403.
  • 0
    Servers we run
  • 0
    Outbound calls
  • 127.0.0.1
    Only reachable from
  • Layered rebinding defense

Security & privacy

Hero above covers trust posture, four-layer rebinding defense, and the zero-network stats. Detail:

#Verifying it yourself

bash
lsof -iTCP -sTCP:LISTEN -P | grep recall                       # 127.0.0.1 only
sudo tcpdump -i any -n "host not 127.0.0.1 and not 0.0.0.0"    # zero outbound during use
curl -H "Host: attacker.com" 127.0.0.1:<port>/api/health       # 403 (rebinding blocked)
curl -H "Origin: https://evil.com" 127.0.0.1:<port>/api/stats  # 403 (cross-origin blocked)
ls -la ~/.recall/daemon.token                                  # mode 0600

#Auto-redaction at ingest

If you paste an API key into Claude Code mid-conversation, it lands in the JSONL at ~/.claude/projects/. Recall scrubs it at index time before SQLite or the search index see it.

Patterns scrubbed: Anthropic / OpenAI / AWS / GitHub / Stripe / Slack / Google keys, JWTs, SSH/RSA private keys, URLs with embedded passwords, assignment-style token= / api_key= secrets.

The original JSONL stays untouched; only the derived store is scrubbed. Retroactively scrub older sessions: recall index --force.

#Bug Patterns launcher (token-spend defense)

Four gates before a browser request can spend a token:

  1. Origin / Sec-Fetch-Site: rejects non-loopback origins
  2. Custom X-Recall-Launcher: 1 header: defeats simple-form-POST CSRF
  3. One-shot 60-second preflight token bound to the exact (project, model, limit, force) tuple
  4. Server ceilings: 500-session max per request, 1M tokens / 24h rolling, per-project lock

Audit log at ~/.recall/launcher-audit.log. Same combined budget covers extract-outputs and bug-pattern synthesis.

#What we deliberately don't build

  • No VS Code clipboard extension (compromised marketplace = global keylogger vector)
  • No global clipboard daemon (privilege-escalation magnet)
  • No telemetry, ever (we don't have the data because we don't ship the code)
  • No cloud sync by default (v0.8+ team-sharing will be opt-in, e2e encrypted)

#Pro license

Machine-bound (SHA-256 fingerprint of hostname/user/OS/arch). Three-device limit per key. Activation is one HTTPS call to clauderecall.com; signed JWT (ES256) works offline forever. No periodic phone-home, no heartbeat.

#XSS hardening

Every markdown render goes through DOMPurify with a strict allowlist. href and src forbidden. javascript: and data: URIs impossible by construction. Only class and title survive.

Last updated