Privacy

Zero-cleartext boundary and Groth16 proof surface.

OpenEncoder and Ionizer prepare deterministic field payloads. Those payloads are not raw source text, but they should still be treated as sensitive metadata.

Local

Never Leaves

Source text, local mapback ledgers, client secrets, and decoded answer reports stay in the user's environment.

Local Control

Preprocess Freely

Customers may encrypt at rest, redact, tokenize, shard, normalize, or apply their own controls before field generation. The service boundary is the compatible field envelope, not the customer's internal data pipeline.

Mental Model

Library Card, Not Lockbox

Cryptography protects a book in transit. Mushku's field path sends a coordinate-like field envelope. Without the customer's local corpus and local mapback ledger, the service-side envelope is not the readable source.

Server

Receives Envelope

The server receives the field-envelope compatibility contract, a non-secret manifest, request metadata, package receipts, quote inputs, payment records, saved result receipts, and optional account corpus field tensors needed for quote, run, and replay.

Saved Corpus

Field Tensors Only

Logged-in users may maintain a growing account corpus field. Mushku stores the derived field tensor, hashes, dimensions, and receipts. Source files, local recovery ledgers, client secrets, and decoded answers remain client-side.

Not Encryption

Be Honest

Deterministic encoding is not a cipher suite and should not be treated as secret-free answer recovery.

Groth16 zkSNARK

Bounded Claim

OpenEncoder includes a gated Groth16 zkSNARK proof surface for its pinned reference circuit. That claim is bounded to the passed circuit receipt and is separate from the browser egress boundary.

Inspectability

Verify the Request

Use DevTools or a local TLS proxy to inspect the outbound envelope. Packet capture alone usually shows TLS metadata, not HTTPS bodies.

Known Leakage

Sensitive Metadata

Envelope shape, tensor counts, context labels, request structure, timing, account metadata, and repeated-request correlation can be visible. Treat generated field payloads as sensitive metadata.

Account

Pseudoanonymous

Sign-in stores a hashed OAuth subject/handle, not email, name, avatar, or profile fields. The product ledger is pseudonymous and append-only: credits, package receipts, quotes, search receipts, replay records, and account corpus field receipts needed to operate. Infrastructure and payment providers may still process standard security, transport, and payment metadata.

Billing

Stripe

Stripe handles checkout. Mushku keeps the resulting balance and receipt records in the pseudonymous append-only ledger needed to provide paid search.

Deletion

Request by Email

For deletion or account questions, email the account handle and relevant receipt IDs to sram@mushku.com.

Security

Report Privately

Please send security reports to sram@mushku.com instead of posting exploit details publicly.