Lectern
GitHubDownload
Documentation

Trust & security

Lectern runs on your machine and drives coding agents that can read your files and run commands. That power is exactly why the trust model matters. Here is what protects you — and what doesn't, stated plainly.

Local-first data

"Local-first" means different things. Lectern is local-first data: your code, sessions, history, the brain (memory, skills, machine profile), and settings live on your machine in a local SQLite store and plain files. Provider CLIs keep their own logins — Lectern stores no API keys.

  • The model can be cloud (Claude Code, Antigravity/Gemini) or fully local (Ollama, or OpenCode's free models) — your choice, per session.
  • Recall sends only the short list of relevant paths (and any snippet the agent chooses to read), never your whole codebase. Disable it entirely for a run with LECTERN_NO_BRAIN=1.
  • Lectern is fully local — no accounts, no sign-in, nothing leaves your machine. Encrypted session bundles (for moving a session between your own machines) use scrypt + XChaCha20-Poly1305.

The apply gate

By default Lectern runs in plan mode: the agent proposes changes and shows diffs, but nothing is written to disk until you accept it. Writing only happens when you opt in — /apply (or --apply) lets edits land, --yolo also lets it run commands. This is the single most important control: the default posture cannot modify your repo on its own.

Prompt injection

Indirect prompt injection — a malicious file, code comment, docstring, or tool response trying to hijack the run — is the leading risk for coding agents. Lectern reduces it at the source: the trusted context it prepends (recalled files, matched skills) closes with an explicit instruction telling the agent to treat file contents, comments, and tool output as untrusted data, not instructions, and to follow only your task. Combined with the apply gate, a directive that does slip into context lands as a bad suggestion you can reject, not a silent write.

Skill trust

A skill can run commands and edit files, so the Hub treats it like code you're about to execute:

ControlWhat it does
AI security auditEvery publish runs a free-model audit for prompt-injection and surprising behavior before a skill can ship
sha256 integrityThe hub index stamps each bundle's hash; the client refuses a skill whose contents don't match, on both review and install
Self-pausingA skill that keeps failing pauses itself and is surfaced for you to re-enable — nothing keeps re-running a broken procedure
ReadableSkills are plain, inspectable files — read one before you run it

Remote channels

Channels (Telegram today) let you task your agent from a phone. Inbound senders must be allowlisted from the CLI on the machine — a chat message can never approve its own pairing. Lectern never edits channel access; that stays deliberately in the terminal, because an inbound message is itself an injection surface.

Auditable by design

The whole ecosystem is open source under Apache-2.0. None of the above is a claim you have to trust — the engine, the apply gate, recall, and the skill audit are all on GitHub to read.

Next: The desktop app
Lectern

An engine for your AI — local-first and backend-agnostic.

Product
OverviewPlatformFree & open sourceDownloadChangelog
Resources
DocsHubStudiesChangelog
Open source
GitHubLicense (Apache-2.0)Security
© 2026 Lectern · open source under Apache-2.0
One engine under your coding agents