RTRGRD — Security & Privacy

home Privacy-First Architecture

RTRGRD is built for network engineers who work with sensitive infrastructure. Your configs, credentials, and RAG databases stay on your machine. AI requests use Google Vertex AI by default with automatic credential sanitization — or enable Privacy Mode for fully offline operation.

What	Where It Lives
Your device configs	Your machine only
RAG database	Local AppData folder
Embeddings	Processed locally (Nomic)
Credentials	OS-encrypted storage

Nothing is uploaded unless you explicitly use AI features—and even then, we scrub it first.

cleaning_services The Sanitization Layer

Before any data reaches cloud AI, our Sanitization Service automatically redacts sensitive patterns.

30+ Credential Patterns Blocked

Category	Examples
Passwords	`enable secret`, `username ... password`
Keys	`crypto key`, `pre-shared-key`, `private-key`
SNMP	`snmp-server community`, `snmp community`
Infrastructure	TACACS/RADIUS keys, AAA secrets, WPA passphrases
Certificates	`BEGIN CERTIFICATE`, `BEGIN RSA PRIVATE KEY`

How It Works

Terminal Output → Sanitization Layer → [REDACTED] → Cloud AI Guardian Orb shows "X secrets protected" per request

You see real data. The AI sees [REDACTED]. The Guardian Orb indicator shows exactly how many secrets were protected per request.

LAYG Protection

The Learn-As-You-Go system is also protected. Commands like enable password or snmp-server community are blocked from being learned—so sensitive patterns never enter autocomplete.

cloud_done Google Vertex AI — No Training on Your Data

We use Google Cloud AI (Vertex AI) for cloud intelligence — the API with contractual data-processing terms, not consumer-facing APIs.

Why This Matters

Consumer API	Vertex AI (What We Use)
May use data for training	No training on customer data
API key in client	Service account auth
Less control	Enterprise data controls

                "Customer data submitted to Vertex AI APIs is not used to train Google models."
                — Google Cloud Data Processing Terms
            

key Bring Your Own Key (BYOK) NEW

Apex subscribers can plug in their own provider API keys. AI requests are sent directly to the provider you chose — bypassing RTRGRD's Firebase backend entirely. You pay the provider, not us, and you keep full control of usage logs, retention policies, and data-processing agreements negotiated under your account.

bolt Google Gemini

smart_toy OpenAI

psychology Anthropic Claude

flash_on xAI Grok

speed Groq

Sanitization still applies. The same 30+ credential patterns are stripped before any request leaves your machine, whether it's headed to Vertex AI or your own provider account. Keys are stored in userData/byok-keys.json protected by Electron safeStorage (OS-level encryption).

wifi_off 100% Offline Mode

Don't want any cloud AI? Enable Privacy Mode:

memory Google Gemma 4 (E2B / E4B / 26B MoE), local

cloud_off Zero network calls

smart_toy Full Copilot & Ghost Text

security Air-gapped compatible

lock Credential Storage

SSH and enable passwords are stored using Electron safeStorage:

Platform	Encryption
Windows	DPAPI (tied to user account)
macOS	Keychain
Linux	libsecret

Credentials are never stored in plain text, config files, or localStorage.

block What We Don't Do

✕ Store your configs on our servers
✕ Train AI on your data
✕ Log your terminal sessions
✕ Access your credentials
✕ Phone home without your action

verified_user Security Summary

Layer	Protection
Transport	HTTPS + SSH encryption
Storage	OS-encrypted credential vault
AI Requests	30+ pattern sanitization
Learning	Sensitive commands blocked
Cloud Provider	Vertex AI (no training)
Offline Option	Full local LLM mode

Questions?

Use the Bug Reporter (bottom-right) to submit security questions or report vulnerabilities.