-
Notifications
You must be signed in to change notification settings - Fork 1
Security Model
slipstream runs entirely on your machine. There is no account, no telemetry, no remote service. This page is honest about what that means and what it does not.
- The helper and the MCP server are local Node processes Claude Code spawns. They read your project and write under
.claude/slipstream/. They make no network calls. - The dashboard server binds
127.0.0.1on a free port (src/dashboard/server.ts). It is reachable only from your machine. There is no0.0.0.0bind and no auth, because the threat model is a local-only loopback service, not an exposed one. If you forward the port or run in a shared environment, that assumption changes; do not.
The dashboard activity stream can carry tool inputs, and a tool input can contain a token or a connection string. Even though the stream is local, you might screen-share the dashboard, so slipstream redacts before an event ever reaches disk (redactSecrets in src/dashboard/events.ts). The patterns it masks:
- Bearer tokens and authorization headers.
- Common provider key prefixes:
sk_,pk_,rk_,ghp_,github_pat_,xoxb, and others. - AWS access key ids (
AKIA...). -
KEY=,TOKEN=,SECRET=,PASSWORD=style assignments. - Connection strings with inline credentials (
scheme://user:pass@host).
%%{init: {'theme':'base','themeVariables':{'primaryColor':'#0d1117','primaryTextColor':'#f5f7fa','primaryBorderColor':'#38bdf8','lineColor':'#22d3ee','fontFamily':'monospace'}}}%%
flowchart LR
Hook[hook reads tool input] --> Make[makeEvent]
Make --> Redact[redactSecrets + redactData]
Redact --> Disk[(append-only log)]
Disk --> UI[dashboard]
makeEvent is the only way to construct an event, and it always redacts, so a caller cannot accidentally skip it. This is blunt by design. It masks things that are not secrets before it lets a real one through, which is the safe direction. Do not treat it as a vault; it is a screen-share guard.
- It never sends your code, prompts or memories anywhere. If it phoned home it would not be slipstream.
- It never executes a skill's verification command for you; the agent runs gates, and you see them.
- Everything is written under your project only, all under
.claude/slipstream/: thePreCompactdigest and the memory store, the auto-captured observations, the budget.json control and the savings.json optimization tally. Add.claude/slipstream/to.gitignoreto keep them off the remote (slipstream's own.gitignorealready does, anywhere in the tree), or commitmemory/deliberately if you want to share durable facts with your team. - Observations are derived from the dashboard event log, which is already redacted, so the same masking covers the observation memory — a secret never reaches an observation either. The optimization tally records only byte counts, never content.
The sp-reviewer subagent (Subagents) greps the diff for the same leak shapes before a push and fails the review if it finds one committed to the tree. That is a pre-push guardrail, not a substitute for a real secret scanner in CI.
The sp-schema subagent and the supabase-rls skill default to deny: a table with RLS enabled and no policy denies all access. That is the safe starting point slipstream encourages for any table holding user data.
- Live agent dashboard for the local-only server.
- Data formats for the redacted event shape.
- Subagents for sp-reviewer's scan.
SarmaLinux . sarmalinux.com . Repository
Start here
Install paths
v0.6.0 features
- Map watcher
- Token forecast
- Replay export
- Configurable redaction
- Drift detection
- Per-skill opt %
- CI mode
- Lessons
Headline features
- MCP tools
- Observation memory & search
- Cross-IDE support
- Lossless compaction
- Memory recall
- Live agent dashboard
- Statusline
- Output style
- Subagents
Token efficiency
Skills
Internals
- Architecture
- Memory system
- Hooks
- Mind map and status
- Configuration and tuning
- Data formats
- Performance and benchmarks
- Design decisions
- Security model
- Testing strategy
Reference
SarmaLinux . sarmalinux.com