The local Weavatrix MCP is local-first, collects no telemetry, requires no account, and sends no repository data to us by default. Its network capability group is disabled by default. Any graph upload requires that you configure a destination and enable the group explicitly.
The Weavatrix MCP server analyzes source code repositories on your own computer. All analysis
(graph building, audits, clone detection, coverage mapping) happens locally. Derived data — the
code graph — is written next to your repository (weavatrix-graphs/) and an advisory
cache to ~/.weavatrix/. By default, no repository data leaves your machine.
refresh_advisories — when the tool is invoked, the names and versions of
packages pinned in your lockfiles are sent to OSV.dev (a Google-run
public vulnerability database) to fetch security advisories. No source code is transmitted.sync_graph — disabled unless you configure an endpoint via the
WEAVATRIX_SYNC_URL environment variable. When the tool is invoked, it constructs a
versioned allowlist of graph metadata: relative paths, symbol names and line ranges,
import/dependency identifiers, edges and numeric metrics. Unknown graph fields are discarded;
source file bodies are not read for sync or included in the payload. The endpoint is one
you chose: your own compatible server or the optional operator preview at
app.weavatrix.com. Merely enabling the group does not upload anything; every upload
still requires an explicit tool call.Both tools live in an online capability group that is disabled by default and must be
added explicitly at registration time.
If you explicitly configure app.weavatrix.com as the sync destination and invoke
sync_graph, the allowlisted graph metadata described above is stored in Cloudflare D1
and R2. Distinct normalized revisions are retained so the authenticated owner can compare
dependency, cycle and architecture changes over time. Identical graph content is not stored as a
new revision. Source bodies, snippets, environment-variable values, credentials and Git remotes
are not part of the accepted contract.
The current hosted deployment is a private, single-operator preview, not a public sharing or team service. Reading stored graphs requires the owner session. Login sets one Secure, HttpOnly, SameSite=Strict session cookie; only its digest is stored. HMAC-pseudonymized IP and user-agent values are used for login throttling and session security. Distinct graph revisions are currently kept until the operator deletes the deployment data; self-service retention/deletion controls are not available yet. Contact the project issue tracker below for deletion requests or questions.
weavatrix.com is a static page served by Cloudflare. The static site runs no analytics and sets no cookies. Cloudflare may process standard request logs (IP address, user agent) to serve and protect the site, per Cloudflare's privacy policy.
Questions: open an issue at github.com/sergii-ziborov/weavatrix.