Personal intelligence vault – local-first, encrypted

2026-07-03 – With minimum dependencies, Chromium-based, easy to self-host.

Hosted Instance – only works with Chromium browser.

Source Code - MIT License, open source.

TLDR

The idea is a personal intelligence vault – that can live entirely on your machine. Minimum dependencies, easy to self-host. Uses native Chrome browser’s File System Access API to read/write encrypted data.

Actual Rationale

I find that world is changing too quickly, as well as all our belongings, documents etc. I think it makes sense to have a good digital overview of all the stuff that remains in the real world (sometimes unsorted, messy or in weird places). I would be unlikely to trust someone else with storing this kind of data, so here is the app. I think there are more use-cases than I can imagine now, and it’s not going to be the most comfortable of all apps – but at least it’s quite secure from my POV. If you eventually decide to use it, I would be happy that someone else doesn’t have to spend a few months thinking about that idea and a few days of implementing it.

Q&A

1. Did you do it with AI?

Yes, I did. Idea is mine, prompts are shared and refined with AI, code is 100% implemented by AI. AGENTS.md, prompts and instructions alike are multiple layers in human-AI feedback loop. I did read the markdown files and adjusted parts I didn’t agree with (with AI), mostly that’s related to framing though and some features I decided to exclude – like attachments handling. I also used AI to perform tests (Fable 5), and it passed them and fixed bugs (both identified alone and those which I mentioned). At this point, writing it without AI would likely take me months and I wouldn’t simply do it.

2. Why not use KeePass?

Because it’s not about passwords. The “vault” naming shouldn’t mislead – physically you can store much more than a password in a vault. I wanted to make a project which would:

And I couldn’t easily find a good solution I could trust. This app is something closer to Obsidian or Tolaria, but their interface just contains too much and that annoys me. Additionally, some of these solutions are developed by commercial companies, they can theoretically perform cloud-syncs – and I simply don’t see a reason to trust interactively complex systems, which are always in one or another way targets of hacker attention.

3. Do I have to trust it? Is it safe to use?

No you don’t have to trust it. You should verify everything you see online, especially when it comes from someone you don’t know and touches on critical private information. The current setup, however, makes it easy to verify if it’s a secure solution or not. It’s a vanilla HTML/CSS/JS application, has no external libraries it depends on and can be easily tested. Additionally, if you run it locally, you can operate it without internet connection, which makes it harder to reach your data.

BUT. As I don’t know your setup, it might actually be unsafe to run it despite all the efforts I took to make it more secure. If you have browser extensions, have a weak password and lose your laptop, or decide to deploy your instance online without caution – then it doesn’t matter how secure the application is, it will be vulnerable because of external reasons.

4. Why a Chrome-only setup?

Because the File System Access API is a Chromium feature, Firefox and Safari don’t ship it. I thought about different cross-platform options and just decided to stick with it. You can get Chrome on all major operating systems, you can use it offline – or you can also fork the repository and rewrite it for the client you prefer. If I went too broad with technology, I would feel less happy with a solution that tries to target everything – because then operational risk is simply too high, just as the effort for me to find problems. It would also make it harder for others to confirm app is safe to use.

5. Is this audited properly?

No. I don’t plan on doing (or involving) any audits beyond Claude Fable checks and leave that up to whoever wants to consume it. Self-audit, decide which exact points raise your concerns and develop fixes when necessary. I suggest however, that you start with docs and security-audit-by-fable to check if your concerns are already addressed.

6. Will it be maintained forever?

I don’t think so. The hope is to have a single version which is so good that it just works and there are no concerns coming from it. I would however review private security concerns and decide if I want to incorporate them, or suggest to create a fork instead. If I see that the risk is too high, I will take down the VPS, the hosted instance is running on and leave the repository as an archive, likely disclosing the issues. As I don’t collect any emails or user information, there wouldn’t be a way for me to inform about the vulnerabilities – which means that whoever is hosting it, has a responsibility to continuously check if it’s still safe to use.

Backstory

I lost a SIM-card, which appeared to be sticking in an old phone I found three months after I deactivated the SIM. That’s the backstory. I don’t want to lose SIM-cards anymore :D