Pastewatch is designed with security as a core constraint, not a feature.

Pastewatch operates locally. There is no server. No telemetry. No network calls.

The clipboard content never leaves your machine.

Known limitations:

1. Detection is conservative — Unknown secret formats will not be detected
2. No encryption — Obfuscated content uses plaintext placeholders
3. Memory only — Mappings are not persisted (by design)
4. GUI is macOS only — CLI and MCP server run on macOS and Linux

• System clipboard (read and write) — GUI only
• Files and directories — CLI scan and MCP read/write tools
• Configuration file at ~/.config/pastewatch/config.json
• System notification service — GUI only
• MCP audit log file (if --audit-log specified)

• Network
• Other applications' data
• Keychain
• Screen content

If you discover a security vulnerability:

1. Do not open a public issue
2. Email the maintainer directly (see GitHub profile)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
4. Allow 90 days for response before public disclosure

Security fixes will be released as patch versions (e.g., 0.1.1) and documented in CHANGELOG.md.

All releases include SHA256 checksums. Verify downloads:

shasum -a 256 -c Pastewatch-vX.X.X.dmg.sha256

This software is provided as-is. It does not guarantee security or compliance.

See LICENSE for full terms.