Your code and data stay on your machine.

KB Labs is on-prem first, open source end-to-end, and never sends data without your explicit consent. Verify everything yourself in the source.

On-prem by default

KB Labs runs entirely on your infrastructure. No cloud dependency, no data leaving your network. You control where your code, workflow state, and logs are stored.

Consent-first data sharing

Nothing is sent externally without explicit user consent. The CLI installer asks before every network call. Demo mode offers three choices: gateway proxy, local only, or bring your own API key.

Open source & auditable

The entire platform is open source. Every line of code is auditable. No black boxes, no hidden telemetry, no trust-us-it's-safe. Verify yourself.

What we do today

How we protect your data and infrastructure right now.

Plugin sandboxing

Plugins declare capabilities upfront in their manifest. The runtime enforces boundaries — a plugin cannot access resources outside its declared scope. Execution modes include in-process and subprocess isolation.

Gateway authentication

The Gateway uses JWT-based authentication with device-scoped tokens. Credentials are generated per device, stored locally (file permissions 0600), and never shared across users.

No telemetry without opt-in

CLI telemetry is disabled by default. When enabled, we collect only anonymous usage statistics (OS, version, install duration). No source code, file names, or credentials are ever collected.

Dependency management

Every dependency is pinned and checked on every build across the entire monorepo: import analysis, export analysis, duplicate detection — all automated through DevKit tooling we use ourselves.

Config file security

Platform configuration files containing credentials are written with restricted permissions (0600). API keys and secrets are never logged or included in telemetry events.

Demo mode transparency

In demo mode, only git diffs are sent for AI review — never full source code. The Gateway is a pass-through proxy: no content is stored or logged. Only token counts are tracked for rate limiting.

Compliance roadmap

Open SourceAvailable

MIT-licensed. Full source code available on GitHub for audit and contribution.

DPAAvailable

Data processing agreement available on request for organizations that require it.

RBAC & SSOIn progress

Role-based access control and SSO (SAML/OIDC) planned for Enterprise tier.

SOC 2 Type IIIn progress

Planned as the platform matures. We are aligning controls and documenting processes now.

Questions about security?

We believe in transparency. Ask us anything — no NDA required for honest answers.