Appearance
Architecture
Most AI products ask for trust. Sabha OS is designed so you don't have to.
This page lists exactly what data stays on your machine, exactly what touches the network, and exactly why. The structure is the trust answer — not the marketing prose, not the privacy policy, not a SOC 2 certificate. Read this page and you should be able to verify the claims independently.
The data plane is 100% local
Everything that holds your information lives on your machine:
| Data | Where it lives | Why |
|---|---|---|
| Your memory (Sakthi Graph palace) | ~/sakthi/ on disk — ChromaDB-backed | Verbatim storage. Never paraphrased. Never uploaded. |
| Decision ledger | ~/sakthi/ledger.sqlite — Ed25519-signed, append-only | Tamper-evident locally. You hold the keys. |
| Ledger signing key | macOS Keychain / Windows Credential Manager — OS-level secret storage | OS-managed; we never see it; we cannot retrieve it for you if you lose it. |
| Role profile cards + KG triples | Inside the Sakthi palace | Built by the first-run wizard. Yours. |
| LLM API key (BYOK — Anthropic, OpenAI, your own endpoint) | OS Keychain | You bring the key. We never see it. We never proxy traffic. |
| Conversations with the council | Streamed directly from your machine to your LLM provider | Sabha OS never sees a conversation. |
If your machine is on an airgapped network with one outbound rule (your LLM provider's API), Sabha OS works.
The network surface is two endpoints, both you can audit
Two — and only two — outbound network calls originate from Sabha OS itself:
1. License check (install + occasional re-validation)
- What it sends: your license key (a UUID), the product version.
- What it receives: a signed JSON response indicating valid / expired / revoked.
- Frequency: once at install, then every 30 days if you're online. Offline-validating — if you're disconnected, the cached license stays valid for 30 days from the last successful check.
- Where it goes: a Stripe webhook handler that validates the license key against the Sabha OS billing system.
- What we log: license key, IP address, timestamp. That's it. No telemetry, no usage events, no content, no errors.
2. Auto-updater manifest check
- What it sends: your current Sabha OS version.
- What it receives: a signed JSON manifest pointing at the latest version's signed binary.
- Frequency: once per launch, only if the manifest URL is reachable.
- Where it goes: a JSON file on Cloudflare R2 (static asset hosting, no compute).
- What we log: nothing. R2 access logs are not enabled.
You can disable the auto-updater check in settings. You cannot disable the license check, but you can air-gap your machine and continue using Sabha OS until your 30-day cached license expires.
What we deliberately don't do
| The usual SaaS thing | Why Sabha OS doesn't do it |
|---|---|
| Telemetry / analytics events | We don't know how often you use the CFO role. We can't optimize against patterns we can't see. We trade that for not being a surveillance vector. |
| Centralized account / login | No accounts. The license is bound to a machine, not a person. No password reset because there's no password. |
| Cloud sync between devices | Multi-device sync is user-owned in v1.5 — you point Sabha at an S3 / R2 / Dropbox folder you control, encrypted with a key only you hold. We never see the bytes. |
| Hosted control plane | Deferred to v2.0 Enterprise, gated behind a separate SKU for IT-managed deployments that demand SCIM + central audit-log export. Personal and Pro tiers will never have a hosted control plane. |
| Customer-data residency in our cloud | We don't have a cloud that holds customer data. There's no residency question to answer. |
How you verify the claims independently
- Run Sabha OS behind Little Snitch / Lulu / your firewall of choice. Allow the license-check host and the updater-manifest host. Deny everything else. Sabha OS will continue working. If you observe traffic anywhere else, file an issue.
- Open the source. The OSS protocol layer is MIT — every routing decision, role charter, and skill is readable on GitHub. The desktop wrapper is closed-source for the v1.0 commercial release, but the ledger format is documented and the verifier CLI is MIT.
- Export your ledger.
sabha ledger export > ledger.jsonl. Pipe it into the MIT verifier CLI and reproduce the signature chain. Compare the verifier output to your own audit narrative. If the math holds, the trust holds.
The architecture trust model in one sentence
Sabha OS doesn't need to be trustworthy because its network surface doesn't carry your data. The trust is in the structure, not the promise.
That sentence is the entire pitch. The rest of this site is the explanation.
Related
- Pricing — what's in each tier
- Protocol — the free OSS layer, installable today
- Sakthi Graph — the local memory substrate Sabha OS embeds