Security model

context-mode draws a clear line between two outcomes: a redirect, which sends a call down a safer path, and a block, which denies it with a reason. Network flooding is a redirect — the work still happens, just without dumping raw bytes into context. A policy violation is a block — the call does not run. The wording tells you which one you hit.

Local-first and private

• 100% local. context-mode runs 100% locally with zero telemetry. Code execution, indexing, fetching, and storage all happen on your machine — nothing is sent to a remote server.
• Zero telemetry. No usage data and no payloads leave the device.
• Elastic License 2.0. context-mode is source-available under the Elastic License 2.0. You can read the source and run it freely; see the license for the full terms.

Network: redirect, not restriction

Calls that pull pages into context are intercepted and redirected. When the agent reaches for curl, wget, or inline HTTP, the request is routed to ctx_fetch_and_index instead. The page is fetched, converted, and indexed, so the raw HTML never floods context — you search the result rather than read the whole page.

ctx_fetch_and_index({
  url: "https://example.com/api/reference",
  source: "api-reference",
})

Permissions: deny and allow rules

The deny and allow rules from your host settings file are enforced everywhere, including inside ctx_execute, ctx_execute_file, and ctx_batch_execute. The sandbox is not an escape hatch around your policy — the same rules apply to code run there.

{
  "permissions": {
    "deny": ["Bash(rm -rf *)", "Bash(curl *)"],
    "allow": ["Bash(git *)", "Bash(npm *)"]
  }
}

• Deny always wins over allow. If a rule denies a command, an allow rule cannot re-enable it.
• More specific project rules override global ones, so a project can tighten — or intentionally loosen — what the global policy permits.

How commands are checked

A true block is denied with a reason, and several checks feed that decision.

Related