Claim Check treats intent text as as sensitive as source code — a goal like “Add the refund path for the Apollo billing migration” carries ticket titles, codenames, and roadmap signal. This page spells out what stays on your machine (everything that matters) and what the one local, opt-in telemetry feature records.
What never leaves your machine
- Your source and diffs. The scan and the claim check run entirely locally. Nothing is uploaded to Shipmoor — no files, no diffs, no repo paths.
- Your intent text. The resolved goal text is used locally and never transmitted.
- Model rationales. When a BYO-Judge runs, its free-text rationale is shown to you and never stored in telemetry — it’s treated as the highest-risk leak surface.
- Session transcripts.
--sessioningestion is explicitly opt-in (no auto-discovery), and the transcript is masked the moment it’s read.
Masking is the first step, everywhere
Every text input runs through the same secret scanner before anything else uses it:
- The intent line shown in output is the masked goal text — a pasted
sk_live_…key or AWS credential never survives into the terminal, the JSON report, or a judge prompt. - The change signal handed to a BYO-Judge is masked by the extractor first; secrets never reach the prompt.
- A session’s plan is carried as masked, term-level context only.
The BYO-Judge boundary
Shipmoor hosts and calls no model. The only way an LLM ever sees your change is the one you opt into: your own agent command (--agent), running under your existing provider relationship, receiving the masked change signal. A one-time notice tells you when that’s armed. SHIPMOOR_OFFLINE=1 disables it entirely.
Probe-coverage telemetry (local, opt-in, off by default)
Shipmoor’s probe library grows by knowing which task shapes it repeatedly couldn’t check. To surface that, you can opt in to a local record of each intent-resolved scan. It is designed so the record is useless to an adversary:
| Recorded (redaction-safe) | Deliberately NOT recorded |
|---|---|
| A salted intent fingerprint (SHA-256) | Raw intent text, in any form |
| Term frequencies over masked, normalized terms | Word order / the sentence |
Intent confidence (high/medium/low) | The model rationale (ever) |
| Which probes matched (or none) | Intent sources or ticket references |
| Whether a judge ran, and its shape | The diff, file paths, precise timestamps |
The protections, briefly: terms are extracted only after secret masking; the fingerprint is salted with a locally stored, never-recorded salt (no rainbow tables); short, low-entropy intents deliberately collide so they’re grouped, never individually identified; and recurring gaps are reported only when at least 3 distinct intent shapes cluster together.
The store is a local JSONL under your repo’s gitignored .shipmoor/. Nothing is transmitted — there is no server and no network call in this feature. On the first record in a session, the CLI discloses exactly what it’s writing:
shipmoor: recording redaction-safe probe-coverage telemetry locally (masked terms + a salted fingerprint only — no intent text or rationale).
SHIPMOOR_OFFLINE=1disables it.
The kill switch
SHIPMOOR_OFFLINE=1 wins over everything: it disables the BYO-Judge, the probe-coverage recording, and the Community scan’s optional package-registry lookup. The remaining network surface of the binary is account plumbing you invoke explicitly — login, upgrade, and license refresh. See Sign in & licensing.
Next
- BYO-Judge — the one opt-in path where a model sees the masked change.
- Security & privacy — the product-wide guarantees beyond Claim Check.