Security Policy

Last updated: May 22, 2026

ClaurixTerm handles SSH credentials and AI API keys — material an attacker would love to have. This page explains what we do to keep them on your machine, and how to tell us if you find a hole.

1. Defaults that protect you

Local-first. No accounts, no central database. The app cannot leak credentials it never receives.
Encrypted at rest. SSH passwords, private keys, AI API keys and command history are stored encrypted in the OS keychain (Windows Credential Manager / macOS Keychain / libsecret on Linux) or, where unavailable, in an encrypted blob in the app-data directory.
No telemetry. The app does not phone home with usage data, error reports or identifiers. The only outbound request to our infrastructure is the periodic update-manifest fetch from claurix.com/latest.json (just a JSON file, no payload).
Host fingerprint pinning. First-connect SSH host keys are pinned locally; mismatches block the connection and require explicit confirmation (same model as OpenSSH's known_hosts).

2. How AI API keys are handled

Keys are entered once under Settings → AI Agents and stored using the platform secret store.
Each AI request is sent directly from your device to the provider's API (api.anthropic.com, api.openai.com, generativelanguage.googleapis.com) over TLS. SRG DOOEL is not in the request path.
If a key ever needs rotation, generate a new one in the provider console, revoke the old one, and paste the replacement into ClaurixTerm. There's nothing on our end to update.

3. Responsible disclosure

If you think you've found a security issue in ClaurixTerm or claurix.com, please tell us first — we'll work with you on a fix and credit you in the release notes.

How to report

Email: [email protected]
GitHub: Open a private security advisory

Include: a description, affected version, reproduction steps, and the impact you observed. Proof-of-concept code is welcome but please don't include real credentials or data from third parties.

What we commit to

Acknowledge your report within 72 hours.
Triage and respond with a plan within 7 days.
Coordinate a disclosure timeline with you; default is 90 days from acknowledgement.
Credit you in the fix release (or stay anonymous if you prefer).

In scope

ClaurixTerm desktop app (any platform) claurix.com website Auto-update channel

Out of scope

Issues in third-party AI providers Social-engineering of SRG staff Physical attacks Rate-limit / volumetric DoS

Issues in Anthropic, OpenAI or Google APIs belong with those vendors. Issues in the open-source dependencies of ClaurixTerm should typically be reported upstream first; let us know if a Claurix-specific exposure exists.

4. Hardening tips for your install

Prefer SSH key auth over passwords; use ed25519 keys with a passphrase.
Use a separate API key per machine — easier to revoke if a laptop is lost.
Enable full-disk encryption (BitLocker / FileVault / LUKS) so the app-data directory is protected even if the device is stolen.

5. Contact

Security disclosure: [email protected]

Private advisory: GitHub Security Advisories

Everything else: claurix.com/contact