public trust center

The controls behind the proof.

Security claims should be inspectable. This page maps the public controls, automated gates, privacy boundaries, and disclosure paths that protect the open-source and hosted product.

Local-first source boundary

Local compiler, validator, proof, and stdio MCP workflows run on the user's machine. Hosted source handling is disclosed at the point where a user chooses a hosted workflow.

Source-free receipts and learning

Portable receipts and product-learning events are designed around diagnostic codes, outcomes, evidence classes, coarse environment data, and hashes rather than project source, prompts, file paths, or credentials.

Dependency and artifact gates

JavaScript, Python, and Worker dependencies are audited in CI. Publishable npm, wheel, and source-distribution artifacts are validated before release.

Hosted runtime parity

Production protocol checks verify the public MCP endpoint, tool and prompt inventory, supported protocol versions, and release identity after deployment.

Private account responses

Cloud account, usage, billing, and session responses use private no-store caching. Session tokens stay in HttpOnly cookies and state-changing requests require CSRF validation.

Coordinated disclosure

Security reports go to security@axint.ai instead of public issues. The project publishes supported release lines and a dependency exception policy.