Security Architecture

MCP Isolation

Each tool runs as a separate process. The MCP bridge (custom-mcp) enforces strict tool boundaries. No tool can access another tool's data or credentials.

Tool calls are routed deterministically — each MCP verb maps to exactly one binary with its own process space. There is no shared memory or shared credential context between tools.

Credential Storage

Credentials are encrypted with AES-256-GCM using keys derived via Argon2id (memory-hard, side-channel resistant). Every credential read is logged to an append-only audit trail stored locally on your machine.

Credentials are never logged or transmitted in plaintext. The encryption key is derived from a passphrase you control and is never sent to KWJ servers.

What we DO execute

KWJ tools that execute code or shell commands on your machine:

Executes locally

custom-bash — runs cached shell commands with your session permissions
custom-browser — drives a real Chromium instance via CDP on your machine
custom-context — reads files from your local filesystem (outline + slice only)
custom-digest — pipes command output through a local summarizer

These run with the same OS permissions as your Claude Code session. KWJ does not escalate privileges.

What we DON'T do

Never

No inbound connections — KWJ tools do not open ports or accept connections
No background data collection — tools run only when invoked
No telemetry without consent — usage is logged locally for your own review
No credential exfiltration — vault keys never leave your machine

Compliance

GDPR-compliant data handling. All data is stored on your machine or your chosen backends — KWJ holds no user data on its servers beyond your API key and anonymous usage counts.

You can request deletion of your account and API key at any time by emailing security@kwj.ai.

Contact

Found a security issue? Email security@kwj.ai. We respond within 24 hours and follow responsible disclosure.