Privacy & Indexing
ContextStream is designed with security-first principles. Your code is protected with enterprise-grade encryption, isolated per workspace, and you have full control over what gets indexed.
How Your Code is Protected
Encrypted in Transit (TLS 1.3)
All data between your machine and ContextStream uses TLS 1.3, the latest transport security standard. No older protocols, no weak ciphers, mandatory forward secrecy.
Encrypted at Rest (AES-256)
Your data is stored with AES-256 encryption, the same standard used by governments for classified information. The 2^256 key space makes brute-force attacks computationally impossible.
Workspace Isolation
Each workspace is completely isolated. There is no cross-tenant access - your data is only accessible to you and your team members.
You Control Your Data
Delete your data anytime from the dashboard. When you delete events, knowledge, or entire workspaces, the data is permanently removed.
What Gets Indexed
When you enable code indexing, ContextStream analyzes your codebase to provide semantic search and context-aware assistance. Here's what happens:
Source Code Files
Code files (*.ts, *.js, *.py, *.rs, *.go, etc.) are parsed to extract functions, classes, and their relationships. This enables semantic search like "where is authentication handled?"
Documentation & Comments
README files, docstrings, and comments are indexed to help the AI understand your codebase conventions and architecture decisions.
Configuration Files
Package.json, Cargo.toml, pyproject.toml, and similar files help ContextStream understand your project structure and dependencies.
Default Exclusions
The following patterns are always excluded from indexing, even without any configuration:
# Always excluded by default (built into ContextStream)
node_modules/
.git/
dist/
build/
*.lock
package-lock.json
yarn.lock
pnpm-lock.yaml
*.min.js
*.min.css
__pycache__/
*.pyc
.venv/
venv/
target/ # Rust
.gradle/ # Java/Kotlin
*.class
These defaults ensure that large generated files, dependencies, and common sensitive patterns are never indexed. You cannot override these built-in exclusions.
Custom Exclusions with .contextstream/ignore
For extra-sensitive files or directories, create a .contextstream/ignore file in your project root. This uses the same syntax as .gitignore.
# .contextstream/ignore
# Patterns follow .gitignore syntax
# Your code is already encrypted (TLS 1.3 + AES-256) and workspace-isolated.
# This file is for extra-sensitive paths you prefer to keep completely off the index.
# Sensitive directories
customer-data/
secrets/
.env*
# Keys and certificates
*.pem
*.key
*.p12
# Large generated files
dist/
build/
node_modules/
# Vendor/third-party (often not useful to index)
vendor/
third-party/
# Project-specific exclusions
# my-secret-project/
Pattern Syntax
customer-data/Exclude entire directory
*.pemExclude by extension
.env*Wildcard patterns
!important.pemNegate pattern (include)
.contextstream/ignore file for you. Run npx -y @contextstream/mcp-server setup and follow the prompts.Global vs Project Ignore
Project-level
.contextstream/ignorePlaced in your project root. Applies only to this project. Commit to version control to share with your team.
Global (user-level)
~/.contextstream/ignorePlaced in your home directory. Applies to all your projects. Useful for personal patterns like client work directories.
Both files are merged at runtime. Project-level patterns take precedence over global patterns.
AI Tool Hooks
ContextStream can install hooks that redirect local file searches (Glob, Grep) to use ContextStream's semantic search instead. This provides faster, more accurate results from the indexed codebase.
How Hooks Work
- When Claude Code or another MCP client calls Glob/Grep
- The hook intercepts the request
- If the path is indexed, it redirects to ContextStream semantic search
- If the path is in
.contextstream/ignore, the local tool runs normally
Smart Scoping
Hooks respect your .contextstream/ignore patterns. Files you exclude from indexing will use local tools automatically, preventing infinite loops when searching unindexed directories.
Hook Configuration
Hooks are configured in your Claude Code settings. The setup wizard installs these automatically:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Glob|Grep",
"hooks": [
{
"type": "command",
"command": "python3 ~/.contextstream/hooks/contextstream-redirect.py"
}
]
}
]
}
}Disabling Code Indexing
Code indexing is optional. You can use ContextStream purely for memory (decisions, insights, lessons) without indexing any code.
Memory-Only Mode
Simply don't run project(action="ingest_local") or skip the indexing step in the setup wizard. ContextStream will still capture and recall your decisions, preferences, and insights without touching your code.
For projects where you want memory but not code search, this is the recommended approach. You get context continuity across sessions without any code leaving your machine.
Frequently Asked Questions
Can I delete my indexed code?
Yes. Go to your project settings in the dashboard and use the "Delete Index" option. This removes all indexed code from ContextStream while keeping your memory events intact.
Is my code used to train AI models?
No. Your code is used only for search and retrieval within your own workspace. It is never used for training, shared with other users, or accessed outside your team.
What happens if I work on client projects?
Create separate workspaces for each client to maintain isolation. Use the global~/.contextstream/ignore to exclude sensitive client directories from ever being indexed.
Can team members see my indexed code?
Only if they're part of your workspace. Workspace access is controlled by you. Personal workspaces are private; team workspaces share access among invited members.