BaseVault is a desktop app — not a SaaS, not a service, not a data processor. No backend. No accounts. No telemetry. Your prompts go from your laptop directly to inference, never through us.
Run inference locally on your hardware, or bring your own API key for hardware-attested hosted inference in a TEE enclave. In both modes, the verification chain runs on your machine, against public roots of trust — your laptop confirms what's running before a byte leaves it.
Heterogeneous personal files in — text, markdown, PDFs, journals, exports. Structured facts, resolved entities, within-theme patterns, cross-domain insights, and actionable recommendations out. Every output traces back to a byte offset in the original file.
Local inference is the cleanest privacy posture: nothing leaves your machine, and the trust surface is exactly the hardware and OS you already trust. But it's bottlenecked by your laptop's RAM and VRAM. Most personal computers can't run a frontier model at all — and even when they can, throughput is a single worker, sequentially, often slow enough that day-to-day use stops being practical.
Hosted inference solves the throughput problem — parallel fan-out across many workers, near-frontier model quality, minutes instead of hours. The catch: the standard hosted model asks you to trust the operator. Your prompts go to their servers. They could read them, log them, train on them, hand them over to a regulator. That's a bad fit for the kind of data BaseVault works with.
TEE inference is the bridge. The model runs inside a hardware-isolated enclave on AMD-SEV-SNP or Intel TDX silicon. The chip itself enforces that the compute stays sealed from the cloud operator. Every call returns a cryptographic attestation BaseVault verifies before sending data — proving the enclave is running the exact open-source code we expected, not something that swapped your prompt out to plaintext. The privacy guarantee is no longer reputational; it's rooted in silicon.
You get hosted-grade scale and capability with a trust surface that's narrower, more verifiable, and fully auditable. BaseVault wires the chain end-to-end and surfaces it in a panel you can copy, audit, and feed into independent tools.
Most personal-data tools are chat-on-top-of-embeddings — you dump files in, ask questions, get answers grounded in retrieved chunks. BaseVault is shaped differently: a typed DAG of facts, patterns, and insights, with refs at every layer back to the byte where the underlying quote lives. You don't ask questions of your data; you read its structure.
And because extraction runs per-chunk and aggregates upward, the pipeline scales to corpora orders of magnitude larger than any single LLM's context window — exactly where retrieval-based tools start to lose signal.
Pipeline runs on the left. The run's vault — inputs, facts, entities, patterns, insights, actions — in the middle. The markdown render on the right, with provenance trees that chain every claim back to the byte where its source quote lives. The "Attested" indicator at the top right verifies the TEE chain before any prompt leaves the machine.
Whitelisted formats: txt, markdown, PDF, docx, json, zip, images. Zips are recursively extracted. Images are transcribed via a vision model that matches the pipeline mode — they never cross trust boundaries.
Per-document metadata + per-chunk extraction into typed items (fact, decision, event, emotion, signal, open-loop). Each evidence span carries absolute byte offsets back into the original file.
Mentions across facts are grouped by normalized name and type; a tiered resolver picks a single subject per run. Bundle inputs scrub the subject and synthesize per-file narrators so cross-file contexts don't collapse.
Within-theme patterns (mechanistic, with source facts), cross-domain insights (with source patterns), actionable recommendations with a harm-gate filter. Every layer carries refs back to the previous one. A walker traverses the DAG on demand.
A prompt-hash cache makes the same input + model produce the same output bit-for-bit. Golden-hash regression tests fail at CI time if anyone slips non-determinism in. Pipeline changes are measured against held-out evaluation cases before they ship.
Detects the latest checkpoint and re-runs only what's missing. Pause / cancel / resume map to subprocess control. Local + TEE can run side-by-side for latency and quality comparison.
Local is the cleanest privacy posture, but it's bottlenecked by what fits in your laptop's RAM. The cost of staying local isn't just speed — it's the model class you can run, and the structure that model class can extract. Same corpus, same pipeline, run twice: once on local Ollama, once via TEE-attested frontier inference.
TEE didn't improve the pipeline; the same code ran in both cases. What TEE unlocked was access to a frontier-capable model without giving up the privacy guarantee. The fidelity delta — 99% dated vs 42%, 50% more patterns surfaced, no overconfident claims, half the rate of items falling into the "other" bucket — is what you give up when you decide hosted inference is too risky to use. Hardware attestation changes that calculation: the model runs in an enclave the silicon itself enforces, you verify the chain before sending data, and you get the capability without the exposure. ~16x faster, too.
Single n=1 run on a personal journaling corpus. Directional evidence of model-class delta, not a controlled benchmark.
Inference runs in Ollama on your machine. Nothing leaves your laptop. Trust surface is your hardware, your OS, the open-source inference binary, the published model weights, and the bundled Python pipeline.
Inference runs in a Tinfoil-hosted hardware enclave (AMD-SEV-SNP or Intel TDX). The chip enforces that the compute stays sealed even from the cloud operator. Every call returns a cryptographic attestation BaseVault verifies before sending data.
tinfoilsh/confidential-<model>
repository.
Every verification — including raw quote bytes, the Sigstore bundle,
and the Rekor inclusion proof — is logged to
~/.basevault/attestations.jsonl.
You can grep it, audit it, and pipe it into other tools. The app also
renders an exact gh attestation verify
command per call so you can independently re-verify against
GitHub's CLI.
The TEE provider today is Tinfoil. Additional providers will be supported as each clears a strict audit process: hardware attestation API surface, per-model deployment manifest discipline, public build provenance, and SDK-level enforcement that refuses inference unless the chain verifies.
Hardware attestation and transparency logs provide auditability, not a unilateral guarantee of safety. Every measurement chains back to a specific public commit, recorded permanently in Sigstore's append-only log and signed at build time. The release history is publicly visible and append-only — anyone can fetch the source at any past or current commit, diff it against prior releases, and form their own judgment.
What still rests on trust is that the TEE provider's incentives align with shipping only code they're willing to publicly defend. That's a narrower and more verifiable ask than the standard hosted-inference question of "trust us not to read your data" — and it shrinks further as the open-source ecosystem around binary transparency and reproducible builds matures.
The chain above proves what's running in the enclave, where you
have no local access. The .dmg
on your laptop is a different problem — you have the bytes, so
verification is direct rather than chain-based.
Once the source is public, the verification is: read the GitHub
Actions workflow that builds the release, confirm the run exists
on a specific commit, hash your downloaded
.dmg and match it to
the SHA published in the GitHub Release. That's the whole chain —
no transparency log needed for an artifact you can hash yourself.
If you want to skip trusting GitHub's runner entirely, the build
is reproducible: rebuild from source on your own machine and
verify the bytes match.
This is why open source on launch is the load-bearing commitment for the client side. Until then, "I read the workflow" doesn't apply, and you're trusting Apple Developer ID + notarization + this page's SHA — the same posture as any signed-and-notarized macOS app, no more.
Personal data should stay where the person can see it. The default posture of modern software is the opposite — your files are the fuel, the cloud is the engine, and you are the exhaust. BaseVault inverts that. Your machine is the engine; the cloud, when used, is an optional accelerator that has to prove what it's running before it gets your data.
When computation has to leave the machine, the trust model should replace reputation with proof. "Trust us, we're a good company" is asking the wrong question. The right question is: show me the evidence I can verify without having to trust you. Hardware attestation, transparency logs, and reproducible build provenance give that evidence. BaseVault wires them end-to-end and surfaces the chain in a panel you can audit.
Every claim a language model produces should trace back to its source. Patterns trace to facts. Facts trace to the byte offset where the underlying quote lives. Insights trace to the patterns they aggregate. There is no orphan synthesis — if you can't follow the chain back to evidence, you shouldn't believe the output. BaseVault enforces this in the data model, not the prose.
No telemetry. No analytics. No surveillance pixel. The app sends nothing about you, anywhere, unless you've explicitly told it to — and even then, the destination has been cryptographically verified to be running the code we expected.
Open source on launch. Every line of code that touches your data will be public, auditable, and reproducible. The trust posture isn't a marketing claim — it's a property you can verify by reading the source.
Latest signed and notarized build. Apple Developer ID verified by Gatekeeper on launch.
# Before mounting:
shasum -a 256 BaseVault.dmg
# After mounting (double-click the .dmg first):
spctl -a -t exec -vv /Volumes/BaseVault/BaseVault.app
codesign -dv --verbose=4 /Volumes/BaseVault/BaseVault.app
The first command should match the SHA-256 above. The second should
report accepted, source=Notarized Developer ID.
The third shows the signing identity — verify the team identifier
matches Q2XJ8DS5C9.