How krabs protects your data.

TLS 1.3 everywhere. HSTS preloaded across every subdomain. Bearer tokens are stripped from request logs before they hit disk.

Storage is a local SQLite file via libSQL, on your own machine. There is no shared infrastructure and no other tenants — your data never leaves your box.

There is no login. Agents authenticate with bearer API keys minted by pnpm setup or krabs key create. Keys are shown once at creation and stored hashed at rest — if you lose one, you rotate, you don't recover.

Every mutation lands in an append-only log keyed by account. Each entry carries:

• ●request_id — the originating call
• ●agent_id — when an agent made the call
• ●idempotency_key — to collapse retries
• ●undo_token — for destructive ops

Email security@krabs.dev. PGP key available on request. We acknowledge inbound reports within 24 hours and aim to ship a fix or mitigation within seven days for high-severity issues.