- No phone-home logic exists anywhere in this repository.
- Decisions are deterministic and auditable from policy plus event logs.
- Content inspection is opt-in and bounded by host integration choices.
- Run the local dashboard on a Unix socket or named pipe when possible.
- If exposing localhost WebSocket control, bind only to loopback and require an unguessable session token.
- Use allowlist or strict mode for high-risk workloads.
- Treat system-hook integrations as privileged code paths requiring independent review.
The Rust core chains each event digest to the previous event’s digest. Exported JSONL records include the chain value so users can verify tampering.