Privacy & Security

Atlas is local-first by design. All data stays on your machine. There is no cloud, no account, no network access.

What Atlas Stores

Atlas stores metadata only:

  • BLAKE3 hashes of file contents (not the contents themselves)
  • File paths and filenames (current and historical)
  • Timestamps of when changes were recorded
  • Fork relationships between files
  • Structural references between files (edges discovered by extractors)
  • File traits (file type, size, line count)

What Atlas Never Stores

  • File contents or bytes (only the hash)
  • Creative data (audio waveforms, image pixels, document text)
  • Preset values, automation data, or configuration values
  • Anything that could reconstruct the original file

The BLAKE3 hash is a one-way function — you cannot recover file contents from a hash.

No Network Access

Atlas makes zero network requests. It doesn’t phone home, check for updates, sync to a cloud, or communicate with any external service. The binary has no networking code.

Atlas requires explicit consent before tracking anything. The first time you run atlas watch, it explains what data will be collected and asks you to confirm. No data is stored until you accept.

If you use --json mode without prior consent, Atlas exits with an error rather than prompting — consent must be given interactively.

Sensitive File Protection

Atlas ships with 31 default ignore patterns that prevent tracking of sensitive files:

  • SSH keys and configuration (.ssh/*, *id_rsa*, *id_ed25519*)
  • Environment files (*.env, .env.*)
  • Cryptographic material (*.key, *.pem, *.p12, *.pfx)
  • Credential stores (*credentials*, *password*, *.token)
  • Platform-specific secrets (.aws/*, .gnupg/*, .docker/config.json, .npmrc, .pypirc, .netrc)

These defaults cannot be removed. They can be temporarily disabled, but disabling a sensitive pattern requires explicit --confirm and displays a safety warning. See Ignore Patterns for the full list and how to add your own.

Read-Only Relationship with Watched Directories

Atlas never creates, modifies, or deletes files in your watched directories. All Atlas data — including ignore configuration and scoped patterns — is stored in ~/.atlas/. Your project directories remain untouched.

Connect Scope

When AI agents query Atlas through Connect, you can control what they see independently of what Atlas watches. Connect Scope provides allow/deny lists that filter agent-visible data at the query boundary — agents receive no indication that additional data exists beyond their scope.

Default deny entries for credential directories (~/.ssh, ~/.gnupg, ~/.aws, etc.) are seeded on first run. See the Connect overview for details and CLI commands.

Database Security

  • The SQLite database is created with 0600 permissions (owner read/write only)
  • Database location: ~/.atlas/atlas.db
  • WAL mode is used for safe concurrent access

True Deletion

The atlas forget command permanently erases all records for an entity:

  • All hash, path, and name history
  • All edge references
  • All file traits

Pattern-based forget (atlas forget --pattern "*.log") extends this to mass deletion of all entities matching a glob. Each deleted entity is individually logged.

A minimal audit entry (entity ID and timestamp only) is kept in the forget_log — no content or metadata is retained.

See Managing Data for details.

Extractor Safety

Atlas’s extractors only look for structural references — file paths, import statements, plugin identifiers. They never extract:

  • Creative content
  • User-authored text
  • Audio or image data
  • Script source code

The test for what an extractor may capture: “Would this appear in a dependency manifest?” If not, it’s out of scope.