Security — How Your Code Stays Safe

Last updated: February 23, 2026

1. Architecture Overview

SYKE is a local MCP (Model Context Protocol) server. It runs entirely on your machine as a process launched by your AI coding tool. At no point does your source code, dependency graph, or analysis data leave your local environment and travel to SYKE's servers.

The MCP server reads your file system directly. All analysis — dependency parsing, impact calculation, build gate evaluation — happens in-process on your machine. SYKE's cloud infrastructure is only involved in license key validation.

2. Data Flow Diagram

┌─────────────┐     MCP Protocol     ┌──────────────┐
│  AI Agent   │ ◄──────────────────► │  SYKE MCP    │
│ (Claude,    │   tool calls &       │  Server      │
│  Cursor)    │   responses          │  (localhost)  │
└─────────────┘                      └──────┬───────┘
                                            │ local file
                                            │ system only
                                     ┌──────▼───────┐
                                     │  Your Code   │
                                     │  (never      │
                                     │   uploaded)  │
                                     └──────────────┘

Optional (Pro + BYOK):
┌──────────────┐    your API key     ┌──────────────┐
│  SYKE MCP    │ ──────────────────► │  AI Provider │
│  Server      │   code snippets     │  (Gemini)    │
│  (localhost) │ ◄────────────────── │              │
└──────────────┘   analysis result   └──────────────┘

3. What We Collect

SYKE's cloud infrastructure receives only the minimum data necessary to validate your license:

Data	Purpose	Retention
License key	Verify active Pro subscription	Stored in Firestore while account is active
IP address	Rate limiting, abuse prevention	Server logs, 30 days
Timestamp	Session heartbeat / device tracking	Server logs, 30 days

That is the complete list. No other data is transmitted to our servers.

4. What We Do NOT Collect

Source code: None of your files, file contents, or code snippets are ever sent to SYKE's servers.
File names and paths: The local file paths your MCP server scans remain on your machine.
Dependency graph data: The graph SYKE builds of your codebase lives in memory on your machine only.
Analysis results: Impact analysis, build gate verdicts, and hub detection results are returned to your AI agent locally and never logged remotely.
Git history: SYKE does not access or transmit your repository history.
Usage telemetry: We do not track which tools you call, how often, or on which files.

5. Third-Party Services

SYKE uses the following external services for account and payment management only:

Firebase Auth (Google) — Account authentication and session management. Your credentials are handled by Google's infrastructure. Firebase Privacy Policy
Paddle — Payment processing. Paddle acts as Merchant of Record. SYKE never stores your payment details. Paddle Privacy Policy
AI providers (your key only) — When you use AI analysis features (Pro), requests are made using your own API key directly from your machine. See Section 6 below.

6. AI Analysis (BYOK)

The ai_analyze and check_warnings tools use AI to semantically analyze cascade impacts. This is a Bring Your Own Key (BYOK) feature.

Your API key (e.g., Gemini API key) is stored in your local MCP configuration file, not on SYKE's servers.
When AI analysis is invoked, your local SYKE MCP server sends the relevant code snippets directly to your configured AI provider (e.g., Google Gemini). The request does not route through SYKE's infrastructure.
The analysis result is returned from the AI provider directly to your local MCP server and then to your AI agent. It is never stored or logged by SYKE.
You control exactly which AI provider you use and which API key authorizes the requests.

7. Open Source

The SYKE MCP server is published as an open npm package: @syke1/mcp-server. The package contents are publicly inspectable by anyone.

You can verify exactly what code runs on your machine by inspecting the package source. This is a deliberate transparency measure: we believe you should be able to audit any tool that runs in your development environment.

8. Contact

For security questions or responsible disclosure, contact us at support@syke.cloud.