security_and_privacy
What we capture, where it goes, and how to verify both.
PromptConduit records events from your AI coding assistant into a local
file before anything else happens. Sending data anywhere requires an API
key you create on purpose, and local_only mode disables
sending permanently. This page describes the mechanism precisely, because
"trust us" is not a security posture.
The event file is the contract
Every hook event becomes one JSON line in
~/.promptconduit/events.jsonl. That file is the complete
record of what PromptConduit knows — there is no second, hidden stream.
Open it. Grep it. Diff it before and after a session. The same bytes
written there are the only bytes that can ever be uploaded.
Two kinds of data in every event
Enrichments are computed locally at capture time and are names and numbers only: branch and repo names, commit hashes, token counts, dollar costs, cache-hit rates, tool call names and durations, interrupt counts, permission decisions. Enrichments never contain your prompt text, tool inputs, or code. (One deliberate exception: the name of an invoked SKILL.md file.)
The raw event is the native payload your assistant hands to its hook system, kept intact so nothing is lossy. Depending on the hook, it can include prompt text and tool inputs. It stays on your machine unless you configure sending — and team analytics are built from enrichments, not raw payloads.
Secrets are scrubbed at capture
Before an event is written to disk, well-known credential patterns are
masked: Bearer tokens, OpenAI-style sk- keys,
PromptConduit keys, AWS access key IDs, GitHub tokens, and any
JSON field whose name looks like api_key,
secret, token, or password. The
scrub happens locally, before the file write — so the redacted form is
also the only form that can sync.
Nothing sends by default
- No API key → no network. A missing key is the normal free state, not an error. Capture works fully offline.
-
local_only: true(orPROMPTCONDUIT_LOCAL_ONLY=1) forces local mode even if a key is present. -
PROMPTCONDUIT_EVENT_LOG=0turns off the local log itself. -
promptconduit uninstallremoves the hooks entirely.
When a team syncs
Connecting a team account uploads envelopes to
api.promptconduit.dev over TLS, authenticated by your key.
Event metadata lands in a queryable database; full payloads are stored in
object storage, scoped to your account. Team dashboards — skills,
patterns, costs, coaching trends — are computed from enrichment metadata.
Deletion is supported through the app and the API, and the CLI is open
source, so the client half of every claim on this page is
inspectable.
Reporting
Found something? Email [email protected] and we'll respond quickly. Please don't file public issues for security reports.