Last updated: May 25, 2026
CodeGrid is built so there is very little to secure: it is local-first, collects nothing, and is fully open source. Below is exactly how the current build handles your code, credentials, and updates — all verifiable in the source.
CodeGrid runs entirely on your machine. Your terminals, code, prompts, and project files never pass through ZipLyne servers — there are none. The desktop app ships with no telemetry, no analytics, and no crash reporting, and it requires no account, sign-up, or license key.
The complete source code is published on GitHub under the MIT license. Anything we claim on this page can be verified by reading the code. There is no closed-source server component to trust.
Release builds are signed with an Apple Developer ID certificate issued to ZipLyne LLC (Team ID DHGG5BA7J7), built with the macOS hardened runtime, and notarized by Apple. Auto-updates are delivered as signed artifacts and verified with a minisign public key before they are applied, so an update cannot be tampered with in transit.
File and Git operations performed by the app are validated in the Rust backend: every path is canonicalized and constrained to your home directory or /tmp, path-traversal (..) and symlink escapes are rejected, and file-scoped Git commands run with literal pathspecs so a maliciously-named file cannot widen an operation. Precious config files (e.g. .claude.json) are written atomically to avoid corruption.
CodeGrid stores no API keys or model credentials. The AI agents you run (Claude Code, Codex, Gemini, Cursor) authenticate with their own existing logins. GitHub authentication is handled through the GitHub CLI and your operating system keychain; CodeGrid refuses to write tokens to disk in plaintext (it rejects the insecure credential.helper=store mode).
CodeGrid is an orchestration layer. When an agent makes a request, the data flows directly from that agent's CLI to its provider (Anthropic, OpenAI, Google, Cursor) under that provider's terms — CodeGrid does not proxy, log, or store it. See Responsible AI for details.
We welcome coordinated disclosure. Email admin@codegrid.dev with details and reproduction steps, or open a private advisory on the GitHub repository. Please give us a reasonable window to investigate and ship a fix before public disclosure. We aim to acknowledge reports within 3 business days.
CodeGrid is an independent, open-source desktop tool, not a SaaS platform — we hold no third-party compliance certifications (such as SOC 2), because we operate no servers and store none of your data. Our security model is transparency and minimalism: the less we collect, the less there is to protect. This page describes the current build and will be kept in step with the code.