Local-first source boundary
Local compiler, validator, proof, and stdio MCP workflows run on the user's machine. Hosted source handling is disclosed at the point where a user chooses a hosted workflow.
public trust center
Security claims should be inspectable. This page maps the public controls, automated gates, privacy boundaries, and disclosure paths that protect the open-source and hosted product.
Local compiler, validator, proof, and stdio MCP workflows run on the user's machine. Hosted source handling is disclosed at the point where a user chooses a hosted workflow.
Portable receipts and product-learning events are designed around diagnostic codes, outcomes, evidence classes, coarse environment data, and hashes rather than project source, prompts, file paths, or credentials.
JavaScript, Python, and Worker dependencies are audited in CI. Publishable npm, wheel, and source-distribution artifacts are validated before release.
Production protocol checks verify the public MCP endpoint, tool and prompt inventory, supported protocol versions, and release identity after deployment.
Cloud account, usage, billing, and session responses use private no-store caching. Session tokens stay in HttpOnly cookies and state-changing requests require CSRF validation.
Security reports go to security@axint.ai instead of public issues. The project publishes supported release lines and a dependency exception policy.