Data flow — what leaves your machine
An agent that runs on your machines and executes commands deserves a blunt answer to one question: what does it send, where, and can I turn it off? This page is that answer — an exhaustive inventory produced from a code-level audit of the shipped binary (last verified 2026-07-03). If a connection is not listed here, the binary does not make it.
The headline: your session traffic is not readable by our cloud
The session plane — terminal, chat, file operations, remote exec — runs on your hardware, and its TLS terminates on your machine:
- Dynamic
<server>.cmdop.devaddress: our edge routes by SNI at the connection level and never decrypts. Your server generates its own private key locally and sends up only a certificate-signing request; the signed certificate comes back, the private key never leaves your machine. What passes through our edge is encrypted bytes we cannot read. - Your own domain: your server obtains its own certificate directly (ACME) and holds it locally. Our infrastructure is not in the path.
- LAN / localhost: traffic never leaves your network at all.
One deliberate exception: the separate cmdop tunnel <port> command (expose
a local port to the public internet, ngrok-style) does terminate TLS at
our edge — that is how a browser-reachable URL for an arbitrary local port
works. It runs only when you explicitly type the command, and it is not part
of the session plane above.
Every connection the binary can open
| Connection | When it fires | What is in it | How to avoid it |
|---|---|---|---|
| Relay link | While the agent is running (its one always-on connection, outbound-only) | Session traffic (encrypted end-to-end to your own server, see above) plus machine registration: hostname, OS and kernel version, hardware profile (CPU, RAM), local and public IP addresses, OS username, whether a connection PIN is set. A heartbeat every 30 seconds refreshes CPU/memory/IP. | Self-host: point the agent at your own relay on LAN/localhost — nothing reaches our cloud. |
| Public-address provisioning | Only when you enable a public <server>.cmdop.dev address | Requested subdomain, your enrollment credential, binary version, and a certificate-signing request (public material only — never the private key). | Don’t enable public mode; use LAN or your own domain. |
| LLM inference | Every AI turn (chat, sub-agents, scheduled runs) when using hosted inference | The prompt and a sliding window of conversation history, tool definitions, and tool results — which can include file snippets and terminal output the agent read while working. | Bring your own endpoint: point the model configuration at any OpenAI-compatible base URL (your provider, your own gateway, a local model). Prompts then go only there. |
| Web search / image generation | Only when the agent invokes those tools | The search query string / the image prompt. | Same endpoint override as inference; the tools are absent when hosted inference is not configured. |
| Crash & error telemetry | On crashes and error-level faults. On by default — the first run prints a one-line notice saying so, and cmdop doctor shows the current state at any time. | Crash kind, scrubbed message and stack trace (usernames, home paths, and any tokens/keys are stripped before anything is written or sent), binary version, OS/arch, and a random per-install identifier not tied to your account identity. | CMDOP_TELEMETRY=0 (or telemetry.enabled: false in config). Also inactive whenever no platform API key is configured. |
| Update check | On start and once daily | A plain GET for the latest-version manifest. No identifiers, no machine data — nothing about you is in the request. | Pin the version (CMDOP_PIN_VERSION) or disable auto-update in config. |
| Skills install | Only when you install/update a skill from GitHub | A fetch of that repository’s files. | Don’t install remote skills. |
| Public-IP lookup | During machine registration | A bare “what is my IP” request to a public IP service (the response is what appears in your machine’s registration entry). | Self-host/LAN mode never registers to the cloud. |
| Account & fleet REST | On explicit commands (cmdop login, machine list) | Standard authenticated API calls; login is a browser device flow. | Self-hosted deployments talk to your own endpoint. |
What never leaves your machine
- The TLS private key for your server’s public address — generated locally, never transmitted.
- Session history and chat transcripts — stored in local databases on the machine; there is no upload path for them.
- The audit log and raw logs — local files. Only scrubbed error-level records feed the crash telemetry above (and only when telemetry is active).
- Credentials — tokens and the connection PIN live in the OS keyring (with an encrypted-file fallback on headless hosts); they are used as auth headers, never sent as content, and the telemetry scrubber additionally redacts any token-shaped string from crash traces.
- Environment variables, shell command lines, and secrets — the agent’s machine-info reporting has a hard redaction contract: host facts only.
What we deliberately don’t do
- No third-party analytics or tracking SDKs. The only telemetry client in the binary is the first-party crash reporter described above. There is no Sentry, PostHog, or equivalent, and the update check carries no identifiers.
- No training on your data. Hosted inference transits prompts to serve your request; transcripts stay on your machine (see above).
- No silent downloads. The binary does not fetch models or engine assets in the background today; if that changes for optional features, it will be explicit and documented here first.
- No inbound listeners on the public internet (outside the address you explicitly provision). The agent dials outbound only — NAT-friendly, nothing to port-forward, nothing listening for strangers.
Who can act on your machine
Reachability is not authorization. A machine joins your network only through an explicit, credentialed enrollment step you perform; attaching to a machine can additionally require a per-machine connection PIN; and high-risk commands fail closed when no approver is present. The full authorization story — identity, the permission gate and its non-bypassable floor, and auditing — lives in the Security model.
Verifying this page
The claims here are auditable from outside the binary: run it behind a network
monitor (Little Snitch, tcpdump, an egress firewall) and compare what you see
against the table above. If you find a connection this page does not list,
that’s a bug — report it.