Kairi is architected with a strict Local-First, Privacy-First Guarantee:
- Zero Cloud Data Telemetry: Your conversation histories, code files, memories (
kv_store.json), and API keys stay 100% on your local disk. - Bring Your Own Key (BYOK): Kairi communicates exclusively and directly with official model providers (Anthropic, OpenAI, Google Gemini, DeepSeek, local Ollama) using your own API keys. No third-party proxy servers collect your credentials.
- Supply-Chain & Shell Execution Shield: Package installation operations enforce
--ignore-scriptsto neutralize malicious pre/post-install hooks. Sensitive shell commands require Human-In-The-Loop (HITL) approval. - Atomic Configuration Storage: All critical configuration writes utilize atomic file replacement (
tempfile.mkstemp+os.replace) to prevent file corruption during sudden system shutdowns.
If you discover a security vulnerability within Kairi, please do not disclose it publicly on public issue trackers. Instead:
- Open a Private Security Advisory on our GitHub repository under the Security tab, or
- Contact our maintainers directly.
We treat security disclosures with the highest priority and aim to acknowledge reports within 48 hours.