Privacy & Security¶
This project treats YouTrack data as potentially sensitive (operational or healthcare-adjacent). The guarantees below are non-negotiable and enforced by the project constitution.
What leaves your infrastructure: nothing¶
Self-hosted Ollama only. All embedding and label generation runs against an Ollama instance you control. No third-party hosted AI API (OpenAI, Anthropic, etc.) is ever contacted — not even as a fallback.
Offline-capable AI audit. The workflow security audit (
zizmor) runs offline in CI.If Ollama is unreachable, the tool degrades to structural-only scoring with a warning rather than sending issue content anywhere else.
Read-only against YouTrack¶
The tool never modifies, links, tags, comments on, transitions, or closes issues. There
are no write commands. All YouTrack access goes through the youtrack_cli package using
your existing, already-configured credentials — the tool stores none of its own.
Local-first data¶
Fetched issues and embeddings are cached in a local SQLite file. Analysis re-runs without
re-contacting YouTrack, and runs surfaces how stale the cached data is.
Reproducibility & transparency¶
Every surfaced relationship carries human-readable evidence, and each run records the embedding model name/version and the scoring weights — so results are explainable and reproducible. Any LLM-generated label is clearly marked as generated and never affects the computed scores or group membership.
Supply-chain posture¶
CI and release workflows use least-privilege permissions and hash-pinned actions, audited
by zizmor as a required check. Dependabot keeps those pins current. Releases publish via
PyPI Trusted Publishing (OIDC) — no long-lived token is stored.
See the constitution for the full set of principles.