Skip to content

Security & privacy

How Pipemason handles your code, data, and credentials. The short version: your source code never leaves your machine.

Your code stays local

Pipemason runs as a hybrid, local-runner-first product. The runner is a compiled CLI that executes on your own machine, in your own working directory. It reads and writes files in your repository, spawns the agents that do the work, and runs your test, lint, and build commands locally.

Tip

Your source code never leaves your machine. The cloud control plane never receives the contents of your files.

Only three categories of data are streamed to the cloud, and only so you can watch a run live and replay it later:

  • Run metadata — the run id, branch name, current phase, status, and token/cost estimates.
  • Logs — the structured iteration events the runner appends to .pipeline/iterations.log.
  • Chosen artifacts — screenshots and diff images, when you opt in (for example on web or mobile runs).

This local-execution model is the answer to the most common objection that enterprise and regulated teams raise about cloud-based AI development tools: there is no cloud copy of your code to leak, subpoena, or train on.

Log scrubbing

The logs and metadata that do stream to the cloud pass through a scrubber before they are persisted. It redacts common secret patterns — API keys, JSON Web Tokens, and email addresses — so that an accidental secret in a log line is not stored verbatim.

Runner credentials

When you pair a machine with pipemason login, the runner stores its token locally:

~/.pipemason/credentials.json

That file is yours and stays on your machine. The cloud never stores the token itself — it keeps only a sha256(token) hash, which is enough to recognize a paired runner but cannot be reversed back into a usable credential.

Note

Treat ~/.pipemason/credentials.json like an SSH key. If a machine is lost or decommissioned, revoke its runner token from your account settings.

GitHub access

GitHub access is connected once, through OAuth, at pipemason.com/settings. You authorize the Pipemason OAuth app for the repo + read:user scopes. The cloud control plane stores an encrypted access token and uses it to:

  • list your accessible repositories during onboarding, and
  • mint a fresh, short-lived token to the runner before each git operation — so pushes and PR creation work against private repos without you managing tokens by hand.

You can revoke access at any time, either from pipemason.com/settings or directly from your GitHub Authorized OAuth Apps.

Tip

GitHub is optional. If you push over SSH and do not want Pipemason creating PRs for you, skip the connect step — the runner falls back to your existing local git auth.

Encryption and tenant isolation

Connected tokens and keys are encrypted at rest in the control plane. Every cloud request is scoped to your organization: a runner token can only stream events for runs that belong to its own org, and there are no implicit cross-org reads.

Reporting a security issue

Found something that looks like a vulnerability? Email support@pipemason.com with the details and we will follow up.