RTRGRD — Security & Privacy

home Local-First Architecture

RTRGRD is built for network engineers who work with sensitive infrastructure. We know your configs contain passwords, SNMP strings, and keys that should never leave your control.

What	Where It Lives
Your device configs	Your machine only
RAG database	Local AppData folder
Embeddings	Processed locally (Nomic)
Credentials	OS-encrypted storage

Nothing is uploaded unless you explicitly use AI features—and even then, we scrub it first.

cleaning_services The Sanitization Layer

Before any data reaches cloud AI, our Sanitization Service automatically redacts sensitive patterns.

30+ Credential Patterns Blocked

Category	Examples
Passwords	`enable secret`, `username ... password`
Keys	`crypto key`, `pre-shared-key`, `private-key`
SNMP	`snmp-server community`, `snmp community`
Infrastructure	TACACS/RADIUS keys, AAA secrets, WPA passphrases
Certificates	`BEGIN CERTIFICATE`, `BEGIN RSA PRIVATE KEY`

How It Works

Terminal Output → Sanitization Layer → [REDACTED] → Cloud AI Guardian Orb shows "X secrets protected" per request

You see real data. The AI sees [REDACTED]. The Guardian Orb indicator shows exactly how many secrets were protected per request.

LAYG Protection

The Learn-As-You-Go system is also protected. Commands like enable password or snmp-server community are blocked from being learned—so sensitive patterns never enter autocomplete.

cloud_done Google Vertex AI — No Training on Your Data

We use Google Cloud AI (Vertex AI) for cloud intelligence — the enterprise-grade API with strict data processing guarantees, not consumer-facing APIs.

Why This Matters

Consumer API	Vertex AI (What We Use)
May use data for training	No training on customer data
API key in client	Service account auth
Less control	Enterprise data controls

                "Customer data submitted to Vertex AI APIs is not used to train Google models."
                — Google Cloud Data Processing Terms
            

wifi_off 100% Offline Mode

Don't want any cloud AI? Enable Privacy Mode:

memory IBM Granite 3.3 8B local

cloud_off Zero network calls

smart_toy Full Copilot & Ghost Text

security Air-gapped compatible

lock Credential Storage

SSH and enable passwords are stored using Electron safeStorage:

Platform	Encryption
Windows	DPAPI (tied to user account)
macOS	Keychain
Linux	libsecret

Credentials are never stored in plain text, config files, or localStorage.

block What We Don't Do

✕ Store your configs on our servers
✕ Train AI on your data
✕ Log your terminal sessions
✕ Access your credentials
✕ Phone home without your action

verified_user Security Summary

Layer	Protection
Transport	HTTPS + SSH encryption
Storage	OS-encrypted credential vault
AI Requests	30+ pattern sanitization
Learning	Sensitive commands blocked
Cloud Provider	Vertex AI (no training)
Offline Option	Full local LLM mode

Questions?

Use the Bug Reporter (bottom-right) to submit security questions or report vulnerabilities.