Decalyst security

Decalyst includes a built-in 20-point security scanner that runs on every diff. BYOK keys live in the user's OS keychain, the backend URL is build-time and never user-editable, and all loaded context files are scanned for prompt injection before they reach the model.

20-point security scanner

Every diff is audited at no extra cost on every tier. The scanner checks:

  • 1.Unprotected routes and missing auth middleware
  • 2.JWT validation (signature, expiry, audience)
  • 3.Password storage (bcrypt/argon2 only)
  • 4.Session fixation (regenerate session ID after login)
  • 5.Role checks (not just authenticated, also authorized)
  • 6.SQL injection (parameterized queries)
  • 7.Command injection (no exec on user input)
  • 8.XSS (sanitized rendering, no dangerouslySetInnerHTML on user content)
  • 9.Path traversal (no ../ from user input)
  • 10.Hardcoded secrets in source code

BYOK and credentials

User-supplied LLM keys live in the local OS keychain (Windows Credential Manager, macOS Keychain, libsecret on Linux). Decalyst never uploads or proxies the key. The model call is direct from the IDE process to the provider. The backend URL is set at build time via VITE_BACKEND_URL and is never exposed in the UI for user override.

Prompt injection scanning

Every context file (project README, docs, MCP tool outputs, web fetch results) is scanned for known injection patterns before its content is added to the model context. Patterns include instruction-override imperatives like ignore previous instructions, tool-call hijacks, exfiltration prompts, and indirect injection markers. Findings are stripped or sandboxed, with configuration available per project.

Pen-test skill

Decalyst can run a curated pen-test suite against user-built apps in a gVisor or Firecracker sandbox on Decalyst infrastructure. Findings flow into the Virtual Comments overlay anchored to the relevant source lines via per-framework source mapping. Hawk owns this pipeline.

Local-first architecture

The desktop IDE never uploads source code to Decalyst-controlled servers. Model calls go direct via BYOK or the user's selected hosted provider. The web product workspace is opt-in for cloud sync.

Reporting a vulnerability

Found a security issue? Email security@decalyst.com or submit at https://decalyst.com/security/report.