Security & Trust

Your code stays yours.

Mstro is built around one principle: code, files, and conversations live on your machines. The Mstro platform is a thin WebSocket relay that connects your browser to the open-source CLI running on your hardware. It never stores or executes your code.

Where your code lives

  • On your machines. The mstro-app CLI runs locally on every computer you connect: your laptop, a cloud VM, a Raspberry Pi. Claude Code executes there, edits files there, runs tests there.
  • Never on Mstro infrastructure. The platform server in our cloud is a real-time WebSocket relay. Messages pass through; nothing is logged or persisted.
  • Conversation history is local. Saved in .mstro/ on your machine. We do not have access.

Data flow

Browser  ──►  Platform Relay  ──►  mstro CLI  ──►  Claude Code
(mstro.app)   (WebSocket relay)    (your machine)    (your machine)
              ┌────────────┐
              │ NO STORAGE │
              │ NO LOGGING │
              └────────────┘

The relay routes WebSocket frames between the browser and the CLI. It authenticates the user (via Clerk JWT) and the device (via SHA-256 hashed token), then forwards traffic. It does not parse, persist, or train on payloads.

The Security Bouncer

Every Anthropic-ecosystem coding tool, Cursor, Cline, Aider, Devin, Codex, Windsurf, Replit Agent, Lovable, Bolt, v0, JetBrains Junie, wraps the Anthropic SDK and inherits its permission model. That gives you two options: prompt on every tool call (Allow 40+ times a day) or flip on yolo mode and disable safety. Neither runs unattended for hours. Mstro is not an SDK wrapper. The Security Bouncer is a patented two-layer tool-approval substrate (US Provisional 64/034,753, filed April 10, 2026) that classifies each tool call, auto-approves the safe ~95%, and routes the rest (including the risky ~5%) to a Claude Haiku adjudicator that decides in milliseconds. The human is never in the hot path. Validated against 400+ red-team tests covering 22 MITRE ATT&CK techniques. If Claude Code is the rocket, this is the spaceship built around it.

  • Layer 1, pattern matching. A configurable allow/deny list runs first. Common safe operations (read files, git status, run lint, run tests) auto-approve instantly, no model call required. Destructive operations (rm, git push --force) are blocked by default and require an explicit allow. This layer alone covers the bulk of the ~95% auto-approve rate.
  • Layer 2, Haiku adjudication. Tool calls that don’t match a pattern are classified by Claude Haiku in milliseconds. Haiku is the security boundary; it allows, denies, or warns, without breaking your flow with a prompt. Audited against 400+ red-team tests covering 22 MITRE ATT&CK techniques so novel attack patterns don’t slip through.
  • Auditable and patented. Every Bouncer decision is logged locally so you can review what each agent was allowed to do. The two-layer architecture is covered by US Provisional 64/034,753. Long enough to finish the job. Specific enough to trust.

What we store on the server

  • Account information. Email, hashed password (via Clerk), optional display name.
  • Session tokens. Used to keep you signed in. Expire after 7 days.
  • Device registrations. Device name, hostname, OS, CPU architecture. Device tokens are stored as one-way SHA-256 hashes.
  • Connection metadata. Which orchestras (project + machine pairs) are connected and when they last pinged.
  • Usage metrics. Token counts for billing.

We do not store: source code, file contents, terminal output, AI prompts, AI responses, or any other workspace content.

Third-party services we use

ProviderPurposeWhat they see
ClerkUser authenticationEmail, name, OAuth identities
AnthropicClaude Code language modelYour prompts, your code (via your API key)
VercelMarketing site + SPA hostingStandard request logs (IPs scrubbed)
Fly.ioPlatform server hostingStandard request logs
Neon PostgresAccount & orchestra metadataEncrypted at rest
SentryError reporting (optional)Stack traces; IPs stripped
PostHogAnonymous product analytics (optional)Aggregate usage events; no code content

Anthropic processes your prompts via your own API key. See Anthropic’s Privacy Policy for how they handle data.

Encryption & transport

  • HTTPS-only across mstro.app and app.mstro.app (HSTS preload).
  • WebSocket connections to the relay use WSS.
  • Passwords managed by Clerk (bcrypt + their own controls).
  • Device tokens are SHA-256 hashed before storage.
  • Database (Postgres) and ephemeral state (Redis) encrypted at rest.

AI training

Mstro does not train any model on your code, prompts, or responses. Anthropic’s API terms control what they may do with API requests routed through your own key. By default, API content is not used to train Anthropic models. Verify this in your Anthropic console settings.

GDPR & data deletion

You can delete your account at any time from your settings. Deletion removes account data, sessions, device registrations, and connection metadata from our servers. Local data on your machines is unaffected.

For a data export or formal access request under GDPR / CCPA, email bravo@mstro.app and we’ll respond within 30 days.

Security headers

Both mstro.app and app.mstro.app ship with:

  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Referrer-Policy: strict-origin-when-cross-origin

Reporting a vulnerability

Email bravo@mstro.app with details. We will acknowledge within 48 hours. We don’t yet run a paid bug-bounty, but every valid report gets credited (with permission) in the changelog.

See /.well-known/security.txt for machine-readable contact info.

Questions?

Read the Privacy Policy and Terms of Service, or email bravo@mstro.app.