Skip to content

Security (User-Facing)

CLI Pal is designed to reduce exposure while giving you full control.

Access model

  • No SSH keys are stored on the platform.
  • The agent opens an outbound-only WSS connection from your server.
  • Terminal sessions require your server credentials plus a short-lived token from the web app.

Account safety

  • Enable 2FA in your account settings.
  • Use strong, unique passwords; password hashes use bcrypt.
  • Log out of shared machines and avoid sharing session links.

Data handling

What we store

  • System metrics: CPU, RAM, Disk, Network usage (numeric values only)
  • MySQL metrics: Performance counters, health scores, configuration variables
  • Query digests: Normalized SQL patterns without actual data values
  • Example stored: SELECT * FROM users WHERE id = ?
  • NOT stored: SELECT * FROM users WHERE id = 123
  • EXPLAIN plans: Query execution plans in JSON format (no data values)
  • Failed login attempts: Timestamps, usernames, IPs, geolocation data
  • Agent metadata: Version, connection status, last check-in time

What we DON'T store

  • SSH keys - Never sent to or stored on the platform
  • Server passwords - Terminal authentication happens on your server
  • Actual query data - Only normalized patterns (digests) are stored
  • Row contents - Query result sets never leave your server
  • Private keys or certificates - Not collected or transmitted

Data transmission

  • All data flows through TLS-encrypted WebSocket (WSS) connections
  • Agent opens outbound-only connection (no inbound ports)
  • Short-lived tokens for terminal sessions (expire after use)
  • Agent tokens are single-use for installation, then replaced with persistent credentials

AI provider usage

  • AI requests are sent to OpenRouter for processing
  • Only send: query patterns, config variables, metrics context
  • Never send: actual data values, passwords, private keys
  • Avoid pasting secrets or sensitive information in AI prompts

Token security

  • Install tokens: Short-lived, single-use (expire after first connection)
  • Session tokens: Expire after terminal session closes
  • If a token is compromised, revoke it in the dashboard and reinstall the agent
  • Agent credentials are stored in /opt/clipal/clipal.conf with restricted permissions

Hardening tips

  • Keep your server packages updated.
  • Limit sudo/root access to trusted users.
  • Use firewalls to allow only required outbound traffic.
  • Monitor failed logins in the dashboard and block abusive IPs.