Privacy guarantees

Local mode is designed so you can audit it. This page lists exactly what the gateway does and does not send over the network.

What leaves your machine

When local mode is running, the only outbound network traffic the gateway initiates is:

The LLM API call. To the provider you configured (Anthropic, OpenAI, etc.). Over HTTPS.
Optional embedding API calls. Only if you set VOYAGE_API_KEY or OPENAI_API_KEY AND have mcp-optimizer or semantic-cache in your pipeline. Disable by leaving these env vars unset — the gateway falls back to an offline stub embedder.

That’s it.

What does not leave your machine

No telemetry. No anonymous usage stats, no crash reports, no version-check pings.
No phone-home. The container does not call any prxy.monster servers.
No background sync. Patterns, cached responses, and archived turns stay in ~/.prxy/. They are not synced anywhere.
No logs uploaded. All logs go to stdout (or wherever you redirect them). Nothing is shipped externally.
No update checks. You decide when to pull a new image.

What’s stored on disk

~/.prxy/
├── state.db         ← Local database file (encrypted-at-rest module planned)
├── blob/            ← Compressed conversation archives
└── config.yaml      ← Optional pipeline config

Delete this directory and all state is gone — patterns, caches, archives, everything.

Audit checklist

You can verify the privacy claims yourself:

# 1. Run the container
docker run -d --name prxy-audit -p 127.0.0.1:3099:3099 \
  -v /tmp/prxy-audit:/data \
  -e ANTHROPIC_API_KEY=fake-key-for-audit \
  prxymonster/local:latest
 
# 2. Capture container's outbound traffic
docker exec prxy-audit sh -c 'apk add --no-cache tcpdump 2>/dev/null || true'
# (Or use the host's tcpdump on the docker bridge interface)
 
# 3. Make a request — the only outbound packet should be to api.anthropic.com
curl -X POST http://127.0.0.1:3099/v1/messages \
  -H 'Authorization: Bearer x' \
  -H 'Content-Type: application/json' \
  -d '{"model":"claude-sonnet-4-6","max_tokens":50,"messages":[{"role":"user","content":"hi"}]}'
 
# 4. Confirm: no other outbound destinations

You’ll see one HTTPS connection to api.anthropic.com:443. No other traffic.

Embeddings and the offline stub

mcp-optimizer and semantic-cache need to embed text. Two paths:

With provider keys (highest quality, network call):

-e VOYAGE_API_KEY=pa-xxx
# OR
-e OPENAI_API_KEY=sk-xxx

Without keys (fully offline, lower quality):

Leave both unset.
The gateway uses a deterministic SHA256-of-trigrams stub projected to 256 dimensions.
Quality is poor — semantic cache hit rate drops, mcp-optimizer is less accurate.
But: nothing leaves your machine.

For privacy-critical workloads, the trade-off is usually worth it.

Encrypted at rest (planned)

The planned local-encrypt module will encrypt the local database with a user-supplied passphrase. Today the local data volume is plaintext on disk; if you need encryption now, use full-disk encryption (FileVault, LUKS, BitLocker).

Network egress hardening

For the truly paranoid, run the container in a network namespace that only allows traffic to your chosen provider:

# (Linux) Create a netns and restrict egress to api.anthropic.com only
# This is your firewall's job — the gateway respects whatever rules you set.

When the planned airgap module ships, you’ll be able to enforce the same restriction at the gateway layer (rejecting outbound calls to anything other than the configured provider).

No third party — including us — can decrypt your data, recover your patterns, or see your prompts in local mode. The trust model is exactly the same as running any other open-source binary.