Assistance that stays on your network.
AI help for the terminal and vault that defaults to a self-hosted model on your own LAN. Terminal output and secrets never leave your network unless you allow it, and only behind a redaction gate.
the problem
AI in the terminal is genuinely useful — and a genuine data-exfiltration risk. Most tools quietly ship your command output and secrets to a cloud model.
What it does
- Local by default
- Assistance runs against a self-hosted model on your own network, so prompts and output don't leave the LAN by default.
- Redaction-gated cloud
- If you opt into a cloud model, output passes through a redaction gate first — secrets are stripped before anything is sent.
- Exposure detection
- VaultTerm scans brokered command output for leaked credentials and flags exposure, so a careless paste doesn't go unnoticed.
- You hold the switch
- Whether the cloud is allowed at all is an org-level policy you control — not a default someone has to discover and turn off.
- Self-hosted Ollama by default
- Cloud LLM only as a redaction-gated fallback
- Credential-exposure detection on command output
- No terminal output leaves the LAN for enterprise
how we back it up
No hand-waving on security
faq --list
Privacy-first AI — questions
Will my terminal output be sent to a third-party AI?
Not by default. The default is a self-hosted model on your own network. A cloud model is opt-in per organisation and, when enabled, output is redacted before it leaves the LAN.
What is the redaction gate?
Before any output can reach a cloud model, it passes a gate that strips secrets and a guard that checks for prompt-injection — so enabling cloud assist doesn't mean handing over raw secrets.
Can the AI catch leaked credentials?
Yes. It scans brokered command output for credential exposure and flags it in the audit trail.