Security & data handling

The security review, pre-written

If your organization reviews MCP servers before allowing them — good. It should. An MCP server is code that runs inside your editor's agent loop, so the right questions are: what does it execute, what does it send, and where. This page answers all three, and ends with a block you can paste straight into the approval ticket.

What actually runs on the machine

  • Open source, inspectable before you run it. npx threadctx-mcp runs the published npm package, MIT-licensed, with its source public at github.com/threadctx-dev/threadctx-mcp. What's on npm is built from that repo — your security team can read every line the agent will load.
  • Small supply-chain surface. One runtime dependency (the official MCP SDK from the Model Context Protocol project), no native modules to compile, no postinstall scripts, lockfile committed. The local store is a plain JSON file at ~/.threadctx/local.json you can open, audit, or delete at any time — inspect it with npx threadctx-mcp list, which is read-only and makes no network calls.
  • One disclosed write, with an off switch. On first start in a repo, the server adds a “check team memory before starting work” instruction to the repo's agent rule files (AGENTS.md, CLAUDE.md, and tool-specific files when detected). That is the only thing it writes outside its own data directory, it's idempotent, and THREADCTX_NO_AUTO_RULES=1 turns it off entirely. We'd rather you hear about this here than find it in a diff.

Network egress, exactly

This is the table your firewall/proxy team wants. There are no other hosts, no telemetry endpoints, and no analytics beacons in the package.

ModeEgressNotes
Local mode (default)NoneEverything stays in a plain JSON file at ~/.threadctx/local.json. No account, no telemetry.
Cloud mode (Team plan)https://threadctx.dev/api/v1The only host the server contacts. Allow this one domain and cloud mode works behind a proxy.
capture command (optional, off by default)Your own LLM providerCalls Anthropic or OpenAI directly with your key to distill git history. Never routed through threadctx.

Teams that can't allow any external egress can self-host the backend and point the server at it with a single environment variable (THREADCTX_API_URL) — see custom & enterprise integration.

What leaves the machine — and what never does

  • Never: your source code. threadctx's tools accept short, agent-written notes — a decision, a fix, a gotcha — plus tags and a repo identifier. There is no code-upload path in the protocol surface: the server exposes exactly two tools, memory_write and memory_query, and neither reads your files.
  • Cloud mode transmits memory entries only, scoped per team and per repository, over TLS, authenticated on every request. Server-side we store only a salted hash of your API key — there are no passwords in the system. Full detail, including the named sub-processors (Vercel, Neon, Upstash, Stripe, Resend) and retention/deletion terms, is in the privacy policy.
  • Deletion is real and self-serve. Individual or bulk deletion from the dashboard, and full team erasure (database and vector index) on request to founders@threadctx.dev. We don't sell data and we don't train models on memory content.

What we don't claim

No badge theater here. threadctx does not currently hold a SOC 2 report or other audited certification — formal compliance work is on the enterprise roadmap, and if your procurement process requires it, email us and we'll tell you honestly where it stands. What we offer today is something an auditor can't: the entire client is open source, the egress surface is one domain, and the default mode sends nothing at all. For organizations that need more, self-hosting puts every byte inside your own perimeter.

Blocked by your admin? Send them this.

If your company allowlists MCP servers and threadctx isn't on the list yet, paste this into the approval request — it covers what a reviewer needs to make a call.

approval-request.txt
Requesting approval for the "threadctx" MCP server (npm: threadctx-mcp).

What it is: shared memory for AI coding agents — an MCP server exposing two
tools (memory_write, memory_query) that let our coding agents save and recall
short engineering notes (decisions, fixes, gotchas) scoped to a repo.

What it runs: the published npm package threadctx-mcp, MIT-licensed, source
public at https://github.com/threadctx-dev/threadctx-mcp. No native
dependencies, no install scripts, one runtime dependency (the official MCP
SDK), lockfile committed.

Network egress:
- Local mode (default): zero network calls.
- Cloud mode (team plan): HTTPS to https://threadctx.dev/api/v1 only.
- No telemetry, no analytics beacons, no other hosts.

Data that leaves the machine (cloud mode only): short agent-written memory
entries — note text, tags, and a repo identifier. Never source code, diffs,
or file contents. Data handling: https://threadctx.dev/privacy
Full security overview: https://threadctx.dev/security

If your reviewer has questions this page doesn't answer, we'll answer them directly — that's not an enterprise-tier favor, it's how approval reviews should work.

Security questions? Ask the people who wrote it.

Vulnerability reports, review questionnaires, or a proxy config that won't cooperate — email us and a maintainer answers.