TL;DR
PEER Audit runs entirely on your own machine. Your source code never leaves your infrastructure. The system uses three layers of protection: no data is sent out, it works fully offline, and all scan results stay in your project folder.
Executive Summary
PEER Audit is designed for organisations where source code confidentiality is non-negotiable. Our triple-layer air-gap architecture ensures your code never leaves your infrastructure — not a single line, not a single character.
This document details the security architecture that makes PEER Audit suitable for air-gapped environments, regulated industries, and organisations with strict data sovereignty requirements.
The Three Layers
PEER Audit's security architecture is built on three distinct layers, each providing independent protection for your source code and analysis data:
- Layer 1: Zero Data Exfiltration — Your code is analysed locally and never transmitted
- Layer 2: Full Offline Operation — Works without any network connection after activation
- Layer 3: Complete Data Containment — Scan data stays exclusively in your project directory
Layer 1: Zero Data Exfiltration
Your code stays on your machine. Period.
PEER Audit performs all analysis locally. The scanner, dashboard, and reporting engine run entirely within your infrastructure with no outbound transmission of:
- Source code (full or partial)
- File names or directory structures
- Function names or code snippets
- Scan results or metrics
- Error messages containing code references
- Any project-specific data
The only network communication:
License activation requires a one-time outbound call that transmits only:
- Your license key (which you provide)
- A machine fingerprint (cryptographic hash, not raw identifiers)
This call contains zero information about your codebase.
Verification:
Run the following command to verify no telemetry or analytics packages are present and view the network audit log:
Layer 2: Full Offline Operation
Works without any network connection.
After initial activation, PEER Audit requires no network connectivity. License validation is performed locally using cryptographic signature verification.
For fully air-gapped environments:
- Generate a machine fingerprint on the isolated system
- Obtain a signed license file through a secure channel
- Transfer the license file to the isolated system
- Activate using
peer-audit activate --license-file
No network connection is ever required. No "phone home" checks. No mandatory update calls. No heartbeat monitoring.
Technical implementation:
- RSA-signed license files
- Public key embedded in binary for local verification
- Expiry and machine binding checked locally
- No periodic re-validation required
Layer 3: Complete Data Containment
Scan data stays in your project directory.
All scan results, reports, and analysis data are stored exclusively within the scanned project:
your-project/
└── .peer-audit/
└── scans/
└── [scan results here]
The global configuration directory (~/.peer-audit/) contains only:
- License file (no code)
- User preferences (theme, port settings)
- Network audit log (for your inspection)
No source code, file paths, or scan results are stored outside the project directory.
Clean removal:
Uninstalling PEER Audit removes all traces from your system. Project-specific .peer-audit directories remain under your control to delete at your discretion.
Security Verification
PEER Audit includes built-in verification tools for security teams:
Comprehensive security audit:
This command verifies:
- No telemetry or analytics packages present
- Network whitelist enforcement active
- All outbound calls logged
- No code in global storage
- Data containment intact
Network transparency during scans:
Shows real-time network activity (should be zero during scanning).
Inspect global storage:
Lists all files in global storage with descriptions of contents.
Compliance Considerations
PEER Audit's architecture supports compliance with:
Data Sovereignty Requirements
- Code never leaves your jurisdiction
- No cloud processing or storage
- Full control over data location
Air-Gap Mandates
- Operates in fully isolated networks
- Offline activation available
- No network dependencies post-activation
Audit Requirements
- Network activity logged locally
- Verifiable security architecture
- Self-audit capabilities built-in
Regulated Industries
- Suitable for financial services
- Meets defence contractor requirements
- Compatible with healthcare data isolation
Frequently Asked Questions
Does PEER Audit send my code anywhere?
No. Your code is analysed locally and never transmitted. The only network call is license activation, which sends only your license key and a machine fingerprint (hash).
Can OYNK see my scan results?
No. Scan results are stored in your project directory on your infrastructure. We have no access to your systems or data.
What if I can't connect to the internet at all?
Use offline activation. Generate a machine fingerprint, obtain a signed license file through secure channels, and activate locally. No internet required.
How do I verify these claims?
Run peer-audit security-audit. The tool will verify its own security architecture and show you the network audit log. You can also inspect the binary and network traffic yourself.
What happens when my license expires?
The tool stops functioning until renewed. Your scan data remains in your project directories under your control. Nothing is deleted or transmitted.
Can I run this in a container/VM that's network-isolated?
Yes. Use offline activation. PEER Audit has no dependency on network connectivity after activation.
Architecture Diagram
┌─────────────────────────────────────────────────────────────────────┐
│ YOUR INFRASTRUCTURE │
│ │
│ ┌─────────────────┐ ┌─────────────────────────────────┐ │
│ │ Your Codebase │────────▶│ PEER Audit Scanner │ │
│ └─────────────────┘ │ (runs locally, no outbound) │ │
│ └──────────────┬──────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────┐ │
│ │ Local Dashboard │ │
│ │ (localhost:9000) │ │
│ └──────────────┬──────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────┐ │
│ │ Project Directory Storage │ │
│ │ ./peer-audit/scans/ │ │
│ └─────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
│
│ License activation only
│ (one-time, sends only key + fingerprint hash)
│
▼
┌───────────────────────────────┐
│ OYNK Licensing Server │
│ (receives NO code data) │
└───────────────────────────────┘
Summary
| Security Layer | Protection |
|---|---|
| Layer 1: No Outbound Data | Code never transmitted, only license key + hash sent during activation |
| Layer 2: Offline Operation | Full air-gap support, cryptographic local license verification |
| Layer 3: Data Containment | Results stored in project directory only, clean uninstall |
PEER Audit is built for environments where "trust us" isn't good enough. Verify the architecture yourself, audit the network calls, and run in complete isolation.
Your code is your business. It stays that way.