Trust & security
Lectern runs on your machine and drives coding agents that can read your files and run commands. That power is exactly why the trust model matters. Here is what protects you — and what doesn't, stated plainly.
Local-first data
"Local-first" means different things. Lectern is local-first data: your code, sessions, history, the brain (memory, skills, machine profile), and settings live on your machine in a local SQLite store and plain files. Provider CLIs keep their own logins — Lectern stores no API keys.
- The model can be cloud (Claude Code, Antigravity/Gemini) or fully local (Ollama, or OpenCode's free models) — your choice, per session.
- Recall sends only the short list of relevant paths (and any snippet the agent chooses to read), never your whole codebase. Disable it entirely for a run with LECTERN_NO_BRAIN=1.
- Lectern is fully local — no accounts, no sign-in, nothing leaves your machine. Encrypted session bundles (for moving a session between your own machines) use scrypt + XChaCha20-Poly1305.
The apply gate
By default Lectern runs in plan mode: the agent proposes changes and shows diffs, but nothing is written to disk until you accept it. Writing only happens when you opt in — /apply (or --apply) lets edits land, --yolo also lets it run commands. This is the single most important control: the default posture cannot modify your repo on its own.
Prompt injection
Indirect prompt injection — a malicious file, code comment, docstring, or tool response trying to hijack the run — is the leading risk for coding agents. Lectern reduces it at the source: the trusted context it prepends (recalled files, matched skills) closes with an explicit instruction telling the agent to treat file contents, comments, and tool output as untrusted data, not instructions, and to follow only your task. Combined with the apply gate, a directive that does slip into context lands as a bad suggestion you can reject, not a silent write.
Skill trust
A skill can run commands and edit files, so the Hub treats it like code you're about to execute:
| Control | What it does |
|---|---|
| AI security audit | Every publish runs a free-model audit for prompt-injection and surprising behavior before a skill can ship |
| sha256 integrity | The hub index stamps each bundle's hash; the client refuses a skill whose contents don't match, on both review and install |
| Self-pausing | A skill that keeps failing pauses itself and is surfaced for you to re-enable — nothing keeps re-running a broken procedure |
| Readable | Skills are plain, inspectable files — read one before you run it |
Remote channels
Channels (Telegram today) let you task your agent from a phone. Inbound senders must be allowlisted from the CLI on the machine — a chat message can never approve its own pairing. Lectern never edits channel access; that stays deliberately in the terminal, because an inbound message is itself an injection surface.
Auditable by design
The whole ecosystem is open source under Apache-2.0. None of the above is a claim you have to trust — the engine, the apply gate, recall, and the skill audit are all on GitHub to read.