What your security
team needs to see.
Clearly is built to be reviewable. Below is the current security posture of the platform — controls in production today, the SOC 2 roadmap, and the contractual commitments we make to Enterprise customers via a DPA.
Your Claude key stays on your Mac
We engineered the daemon so the worker stores only masked metadata — never the credential value itself. Every call to Anthropic originates from your daemon, on your computer, using your subscription. The worker is a coordination layer, not a secret store. Here are the five hops with cited code paths.
- 1
You click “Connect Claude” in the Hive Mac app
The daemon spawns Anthropic's official `claude setup-token` CLI as a child process on your Mac. Anthropic's CLI — not ours — handles the OAuth browser flow and writes the token to ~/.claude/.credentials.json. Clearly's code never sees the token in this step.
📄beehaven_sdk/packages/cli/src/claude-credential-store.ts🌐 Anthropic's CLI ↔ Anthropic OAuth (your Mac → Anthropic, direct) - 2
Daemon detects the credential file changed
A filesystem watcher inside the daemon notices ~/.claude/.credentials.json was updated. It extracts only the last 4 characters for display purposes ("Pro/Max plan (…1234)"). The raw access token stays in a local variable inside the daemon process — never written to our disk, never shipped over the network.
📄beehaven_sdk/packages/cli/src/claude-credential-store.ts:334-415🌐 None - 3
Daemon tells our cloud "a credential is connected"
Over the daemon's WebSocket to the Clearly relay, the daemon sends a `canvas-credential-detected` message containing four fields: credType ("plan" or "api-key"), maskedKey ("…1234"), expiresAt, scopes. The actual access token, refresh token, and any secret material are NOT in the message.
📄beehaven_sdk/packages/cli/src/relay.ts → _startCredentialsWatcher()🌐 Daemon → Clearly cloud (metadata only) - 4
Our cloud writes a metadata-only row
Our backend handles the broadcast and writes one row to its claude_credentials table. The columns are: type, masked_key, connected_at, daemon_confirmed_at. There is no column for token, accessToken, refreshToken, apiKey, or any other secret. The backend literally cannot make an authenticated request to Anthropic on your behalf — we never have your token to send.
📄apps/cloudflare/src/workspace.ts → case 'canvas-credential-detected'🌐 None (DB write only, inside our backend) - 5
Your prompts run on YOUR Mac
When you send a prompt, the worker forwards only the prompt text to your daemon. Your daemon spawns the Claude Agent SDK as a local subprocess. The SDK reads the OAuth token from ~/.claude/.credentials.json (or your API key from your local keychain) and makes the HTTPS call directly to api.anthropic.com from your Mac — exactly as if you'd run `claude` in your own terminal.
📄beehaven_sdk/packages/cli/src/daemon-omni.ts → buildSdkOptions() + query()🌐 Your Mac → Anthropic (direct HTTPS, your token, your IP)
| Data | Backend can see | Stays on your Mac |
|---|---|---|
| Claude OAuth access token | — | ✓ |
| Claude OAuth refresh token | — | ✓ |
| Anthropic API key (sk-ant-…) | — | ✓ |
| Last 4 chars of credential (display only) | ✓ | — |
| Credential type (plan / api-key) | ✓ | — |
| Connection timestamp | ✓ | — |
| Your prompts (FAB chat send) | ✓ (transit only — forwarded to daemon) | — |
| Claude's responses (daemon stream) | ✓ (transit only — forwarded to tab) | — |
| Files in a local-folder brand scan | — | ✓ (daemon reads + sends thumbnails to Anthropic via YOUR key, never to us) |
| Files you explicitly upload to a canvas | ✓ (your private object storage) | — |
| Composition blocks (saved canvases) | ✓ (your workspace DO) | — |
| Generated assets (SVG / MP4 / PNG) | ✓ (your object storage) | — |
| Brand kits (palette, type, voice) | ✓ (your workspace DO) | — |
This architecture sits cleanly inside Anthropic's published policy for third-party Agent SDK use of a user's plan — the February 2026 enforcement action targeted services that reverse-engineered the OAuth flow outside the SDK or proxied many users through one subscription. Clearly does neither.
Verify by reading the source at /Applications/Hive.app/Contents/Resources/beehaven/ — grep for any string that looks like a token transmission. Or run nettop -P while using Clearly and confirm outbound HTTPS to api.anthropic.com comes from the daemon's node process, never from a browser tab on clearly.sh. Found a regression? security@clearly.sh — P0 incident.
Current posture
Roadmap
- NowTLS 1.3 in transit, AES-256 at rest, everywhere
- NowPer-workspace RBAC + per-block visibility
- NowAppend-only audit log on share-resolve and billing
- NowEmail DKIM + SPF aligned
- Q3SOC 2 Type I (auditor engaged Q1)
- Q4SOC 2 Type II — observation period
- Q4SAML + SCIM on Enterprise
- NextOn-prem option (annual contract, dedicated tenancy)
- NextHIPAA BAA for healthcare customers
Enterprise security review
We'll send you the DPA, current SOC 2 status, the subprocessor list, and a security questionnaire response within one business day.
security@clearly.sh →Found something concerning? Email security@clearly.sh — we respond inside 24 hours.