Security
Security and Data Boundaries
Understand what stays local, what is shared, and how to operate safely.
Boundary model
Local artifacts
.amem, .avis, and .acb artifacts are generated and managed in your local/runtime environment unless you explicitly export or sync.
Client configs
MCP config files live in local desktop/runtime config paths and should be treated as operational credentials.
Operational logs
Health ledgers and runtime diagnostics can expose workflow metadata; protect and rotate as needed.
Controlled sharing
Share only required artifacts and scrub sensitive context before publishing traces or benchmarks.
Minimum hardening checklist
- store backup directories on encrypted storage
- protect config files with least-privilege permissions
- rotate tokens or credentials referenced by MCP surfaces
- separate personal and production artifacts
- avoid posting raw logs publicly without review
Recommended operating practice
Permission hardening
Example baseline for private backup directories and config files.
chmod 700 "$HOME/.agentra-backups"
chmod 700 "$HOME/.claude"
chmod 600 "$HOME/.claude/mcp.json" 2>/dev/null || truePublic sharing caution
Screenshots and copied CLI logs can leak paths, hostnames, and operational context. Review before posting in issues or social channels.