Docs/Security & Changelog

Privacy & Security

Assrt is designed so that sensitive data never leaves systems you control. This page summarizes how the CLI and Cloud handle secrets, traces, and third-party calls.

Secrets

  • Values in secret.* are masked in logs, traces, and reports.
  • Cloud secrets are encrypted at rest with a per-workspace key.
  • CLI secrets come from the process environment, never committed to the repo.

Traces and screenshots

  • Screenshots can be redacted with redact selectors in config.
  • Network request bodies are stripped of masked values before being written to disk.
  • Trace retention is configurable per project.

Data boundaries

  • The CLI sends nothing to Assrt servers unless you run with --cloud.
  • Model calls for AI steps use the provider configured in assrt.config.yaml; bring-your-own-key keeps traffic under your account.
  • Cloud runs happen on isolated, per-workspace browser sandboxes.