PostIdea PostIdea
Security

Security at PostIdea

Every claim on this page is specific enough to be checked. The last section lists what we deliberately don't claim yet.

Last updated: July 11, 2026

1. The VS Code extension: your source code never leaves your machine

The PostIdea extension detects drift from your locked architecture decisions as you write code. All of that detection runs locally, inside your editor. The extension's only network traffic is fetching your locked decisions from PostIdea and, if you choose, locking or unlocking a decision. It never transmits your source code, file contents, or diffs — there is no code path in the extension that does.1, 2

1. The extension's server address is configurable. If you point it at a server you don't control, your sign-in credentials and decision reads go there — the code-stays-local property still holds, but verify your configuration.

2. This claim is about the extension. The web verification pipeline (below) is different: there, you explicitly upload a diff and file listing for analysis.

2. Web verification: we don't store your code

When you submit code for verification on the web, we do not store your source code. Verification runs entirely in memory: your file listing, file contents, and diff are analyzed, a report is produced, and the code is discarded. What we keep is the report — verdicts, coverage scores, and SHA-256 fingerprints of the inputs and outputs — never the code itself.

The optional AI audit (off by default) sends your code diff — never full file contents — to our AI provider for one-time advisory review. The prompt is not stored; only its fingerprint is. Our AI provider is contractually prohibited from training on it (details in the Privacy Policy). The short-lived retry cache holds a copy of the report with all AI-generated advisory text stripped out, so no text derived from your code sits in any cache — deterministic verdicts, scores, and hashes only, for at most one hour.

3. Platform security

4. What we don't claim yet

Security pages tend to be written by marketing. This one is written by the person who wrote the code, so here is the honest list of things we are not done with. When an item ships, it moves up into section 3 — not before.

5. Reporting a vulnerability

Report security issues to security@postidea.app. We respond within 72 hours. We will not pursue legal action against good-faith security research that respects user data and gives us reasonable time to fix issues before disclosure. Machine-readable details: /.well-known/security.txt.