Reference · Security

Security — local-first, you in control

Agentry is local-first by construction. Your memory and run state are plain local files and a local database; the Workbench is localhost-only. Nothing leaves the machine without an action you can see and stop. It's MIT and pre-1.0 — we'd rather under-claim.

Local-first by construction

The parts of Agentry that hold your data run on your machine. There is no Agentry service to sign in to and no backend that sees your work:

  • Memory is a local stdio MCP backed by node:sqlite — a file on disk. There is no network service and no external database; the memory server talks to Claude Code over stdio, not over a socket.
  • The Workbench is localhost-only, bound to 127.0.0.1:4317. It isn't exposed to your network; it's a local view of local files.
  • Flow run state is plain local files under .agentry/work/. The files are the source of truth — there's no remote of record.

You stay in control of what leaves the machine

Agentry runs inside Claude Code, so outward and irreversible actions — running a command, writing a file, opening a PR — go through Claude Code's permission prompts. The agent proposes; you approve. Nothing irreversible happens silently on your behalf.

See Permissions for how approvals work, including relaying an approval from the Workbench.

Channels are a flagged research preview

The live Channels layer is gated behind a deliberate consent flag — it does not load unless you launch with it:

--dangerously-load-development-channels plugin:agentry@agentry-dev

The dangerously- prefix is intentional. The flag is a consent gate: live push between a human and the agent is opt-in, and without the flag everything falls back to the async file-watch loop.

No telemetry, no analytics backend

This documentation site is static — there's no analytics or telemetry backend behind it collecting what you read or do. The embedded self-eval dashboard is a static, pre-rendered view of a run that already happened; it doesn't phone home.

Maturity — say it plainly

Agentry is MIT-licensed and pre-1.0. The posture above describes how it's built today, not a security guarantee or a certification. Treat the agent like any tool with access to your machine: review what it proposes, and keep the irreversible actions behind a prompt you read.