Security
Keyoku is local-first by design: no cloud, no telemetry, no account. The security model has one trust boundary — your approval — and an audit trail around everything else.
Local-first state
All state lives in ~/.keyoku (override with KEYOKU_HOME). The directory is created with mode 0700 and files with mode 0600 — readable only by your user.
| File | Contents |
|---|---|
~/.keyoku/activity.jsonl | The activity trace — one event per tool call, size-capped ~10k events |
~/.keyoku/executions.json | Step-by-step workflow execution state |
Secrets are redacted at record time
Credential-shaped assignments (TOKEN=, api_key:, password:) and Bearer tokens are replaced with «redacted» before an event is ever written to the trace. Because redaction happens at record time, secrets can never reach workflow drafts, baked skills, or a connected engine. And when you need to go fully off the record, keyoku pause silences recording and all context injection until keyoku resume.
What leaves your machine
There is no telemetry. By default, nothing leaves the machine. Two opt-in configurations create network calls: SLM refinement — if you configure GEMINI_API_KEY, ANTHROPIC_API_KEY, or an OpenAI-compatible endpoint via KEYOKU_SLM_BASE_URL (point it at local Ollama and even that stays on-box) — and the engine mirror: with KEYOKU_ENGINE_URL set, knowledge entries are mirrored to your keyoku-engine instance and knowledge_query searches go through it, wherever you host it. (Connectors you register obviously talk to whatever you point them at.)
The trust boundary: approval
Approval is the trust boundary. An approved template executes shell commands with your user privileges — there is no sandbox between an approved bash step and your system. Review templates the way you review shell scripts before approving them, especially templates refined by a model or drafted by an agent.
Guardrails
| Guardrail | Detail |
|---|---|
| Approval gate | Nothing executes until you approve a template. Connector calls at the approve level queue for explicit sign-off. |
| Autonomy levels | Per-connector: observe (calls refused), suggest, approve (queued), autonomous (direct). You choose how much rope each connector gets. |
| Read-only OpenAPI by default | Connectors synthesized from an OpenAPI spec are read-only unless you explicitly pass allowMutating. |
| Bash step limits | 30-second timeout, SIGTERM then SIGKILL, output captured and truncated to 2000 characters. |
| In-order execution | execution_complete enforces in-order step completion — no skipping past a human_review. |
| Append-only audit trail | Every action is recorded. Inspect it with audit_list or keyoku audit. |
| Secret redaction at record time | Credential-shaped values (TOKEN=, api_key:, password:, Bearer tokens) become «redacted» before an event is written — they can never reach drafts, baked skills, or the engine. |
| Privacy switch | keyoku pause stops all recording and all context injection until keyoku resume. |
Open source
Keyoku is MIT-licensed — audit the code yourself at github.com/Keyoku-ai/keyoku.
Related
- Connectors — autonomy levels and the approval queue
- Workflows — step types and what they may do