Privacy

TL;DR: Meshfleet is local-first. No cloud, no telemetry, no accounts. The mesh stores everything on your machine and only talks to the model provider you already configured.

What the short version says

What the mesh stores on your machine

Everything is in your OpenCode config directory. The default locations:

~/.config/opencode/agent-mesh.json — the JSON ledger: fleets, agents, messages, capabilities, templates
~/.config/opencode/agent-mesh.events.log — the structured event log (NDJSON, append-only)
On Windows: %APPDATA%\opencode\agent-mesh.json and %APPDATA%\opencode\agent-mesh.events.log

The ledger is plain JSON. You can read it, edit it, back it up, or delete it at any time. The event log is the same. The mesh is designed so that losing these files is recoverable — the worst case is losing the in-flight fleet state.

What leaves your machine

Outbound: only what you configured

When an agent runs, it sends a request to your model provider (Anthropic, OpenAI, etc.) with the agent's prompt. The mesh doesn't add anything to the request — no telemetry headers, no usage tracking, no identifier. The provider sees the same thing it would see if you ran opencode run directly.

Your provider's privacy policy applies. We don't see those requests. We don't log them. We don't have a server.

Inbound: none

The mesh doesn't receive requests. It runs as an MCP server inside your OpenCode session, on your machine. The only network listener is the optional SSE inbox server (v0.7.0+) which binds to 127.0.0.1:13579 by default — that's your own loopback interface, not accessible from the network.

Do not expose port 13579 to the network. It's an unauthenticated event stream intended for local agents. See /security for details.

Agent output

Agents can read your working directory. This is by design — they're your agents, working on your code, on your machine. If you point them at secrets, they will see secrets.

Agent output (their .output field) is stored in the ledger at ~/.config/opencode/agent-mesh.json. If you share your ledger with someone, you're sharing their output. Don't share ledgers that contain sensitive data.

meshfleet.app (this website)

This website (meshfleet.app) is hosted on Cloudflare Workers as a static site. The site itself:

Cloudflare's own privacy policy covers their infrastructure: https://www.cloudflare.com/privacypolicy/.

The RSS feed

The blog has an RSS feed at meshfleet.app/rss.xml. Subscribing to it doesn't send any data to us — your reader polls the feed and that's it. If your reader reports a fetch error or click to a tracking service, that's between you and your reader.

Children's privacy

Meshfleet is a developer tool. It's not directed at children under 13 (or the applicable age of digital consent in your jurisdiction). We don't knowingly collect data from anyone, let alone children.

Changes to this policy

If we ever change anything material (we won't, but if), the change will be:

Contact

Questions about privacy? Email privacy@meshfleet.app (or john@meshfleet.app if the privacy inbox isn't set up yet).

Last updated: 2026-07-02 · View this page on GitHub