Privacy Is Not a Feature — It Is Architecture
Most developer tools include a privacy policy that says "we take your privacy seriously." Vibgrate takes a different approach: the architecture prevents data collection, so trust is not required.
The Vibgrate CLI is built around hard guarantees about what data is never accessed, never read, and never transmitted. These are not policy decisions that could change in a future update — they are structural constraints in how the tool operates.
What Vibgrate Never Does
| Category | Hard Guarantee |
|---|---|
| Source code | Never read beyond config/manifest files. Vibgrate reads package.json, tsconfig.json, .csproj, lockfiles, and similar structured manifests. It never opens .ts, .js, .cs, .py, or .java source files to read their contents. |
| Secrets | Never scanned for, never extracted. No regular expressions for API keys. No credential detection. |
| Environment values | Never read. Only .env file existence is flagged (as a security posture indicator) — the file is never opened. |
| Git identity data | Never accessed. git log is never invoked. Your commit history, author names, and email addresses are not scanned. |
| File contents | Only structured config fields are extracted. For example, strict: true from tsconfig.json — not the content of your TypeScript files. |
| Network endpoints | Never parsed from config files. URLs, connection strings, and API endpoints in your configuration are not read. |
What Vibgrate Does Collect
To calculate drift scores and run extended scanners, Vibgrate reads:
- Package names and version numbers from
package.json,.csproj, lockfiles, and similar manifests. - Config structure flags (e.g.,
strict: true,module: "esnext") fromtsconfig.jsonand similar configuration files. - File names and sizes — paths and filesystem metadata for the File Hotspots scanner. Never file contents.
- Public registry metadata — latest versions, deprecation flags, and EOL dates from npm, NuGet, PyPI, and Maven registries.
- CI/Docker/IaC file presence — whether files like
.github/workflows,Dockerfile,terraform/exist. Not their contents beyond structural counts.
No Data Leaves Your Machine Unless You Ask
This is the most important guarantee: no data is transmitted anywhere unless you explicitly run --push or vibgrate push.
- By default, scans are entirely local.
- The JSON artifact is written to
.vibgrate/on your local filesystem. - Registry queries go to the public npm/NuGet/PyPI/Maven APIs and contain only package names (information that is already public).
- The dashboard upload is opt-in, authenticated by a DSN you control, and can be routed to a specific data residency region (US or EU).
The .vibgrate/ Directory
Vibgrate writes scan artifacts to .vibgrate/ inside your project directory. These files:
- Are regenerated on every scan
- Should be added to
.gitignore - Should not be copied between environments
- Can be suppressed entirely with
--no-local-artifacts
# .gitignore
.vibgrate/
Why This Matters
Developer tools increasingly ask for broad access: repository tokens, cloud credentials, source code uploads. Every access point is a trust surface.
Vibgrate minimises that surface by design. The drift score is calculated from manifests and public registry data — nothing more. You do not need to grant Vibgrate access to your repository, your CI secrets, or your cloud accounts. You do not even need to create an account to use the CLI.
The Vibgrate Drift Intelligence Engine proves that powerful analysis does not require invasive access. A manifest and a registry query are enough to tell you how far behind you are and what to upgrade first.
Try it risk-free. Sign up at dash.vibgrate.com to scan your repos with a privacy-first tool that never reads your source code, secrets, or git history.