From e828538a2d4785bc9628bbd6337575d050526209 Mon Sep 17 00:00:00 2001 From: Alan Wizemann Date: Mon, 27 Apr 2026 13:00:56 +0200 Subject: [PATCH] =?UTF-8?q?docs(privacy):=20correct=20sandbox=20claim=20?= =?UTF-8?q?=E2=80=94=20Scarf=20macOS=20is=20unsandboxed=20by=20design?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The privacy policy claimed "the macOS app is sandboxed where possible" and that uninstall removes "~/Library/Containers/com.scarf". Both wrong: - Per scarf/CLAUDE.md "Sandbox disabled. Scarf needs to read ~/.hermes/ directly." Scarf cannot ship App-Sandboxed because it needs direct filesystem access to ~/.hermes/ and the ability to spawn the hermes CLI — both forbidden by the App Sandbox. - ~/Library/Containers/com.scarf doesn't exist for an unsandboxed app; data lives at ~/Library/Caches/scarf/, ~/Library/Preferences/com.scarf.app.plist, and ~/Library/Application Support/com.scarf/. Replaced both with accurate text. Also clarified that ScarfGo on iOS DOES run inside the standard iOS sandbox — no special entitlements beyond Keychain. The wiki mirror at .wiki-worktree/Privacy-Policy.md got the same fix in the corresponding wiki audit commit. Caught during the v2.5 wiki audit pass. Will re-publish to gh-pages in v2.5.1 alongside other queued doc updates. Co-Authored-By: Claude Opus 4.7 (1M context) --- scarf/docs/PRIVACY_POLICY.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scarf/docs/PRIVACY_POLICY.md b/scarf/docs/PRIVACY_POLICY.md index 9498c1a..f934d62 100644 --- a/scarf/docs/PRIVACY_POLICY.md +++ b/scarf/docs/PRIVACY_POLICY.md @@ -54,7 +54,8 @@ If you join the ScarfGo beta via TestFlight, Apple shares anonymized crash repor - iOS Keychain storage uses `kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly` so credentials are unreachable while the device is locked and never synced to iCloud. - SSH connections use the same protocol stack as `ssh(1)` — strict host-key verification on first connect, key-based auth (no passwords are sent over the wire), and Citadel's pure-Swift implementation on iOS. -- The macOS app is sandboxed where possible and notarized via Apple's standard Developer ID flow. +- The macOS app is notarized via Apple's standard Developer ID flow (signed + stapled by `xcrun notarytool` on every release). It is not App-Sandboxed — Scarf needs direct read access to `~/.hermes/` and the ability to spawn the `hermes` CLI, both of which the App Sandbox forbids. That's why Scarf is distributed via GitHub Releases + Sparkle rather than the Mac App Store. +- ScarfGo on iOS runs inside the standard iOS app sandbox — no special entitlements beyond Keychain access for the SSH key. ## Children's privacy @@ -65,7 +66,7 @@ Neither app is directed at children under 13 and we do not knowingly collect any Because we don't collect any data on developer-controlled servers, there is nothing for you to opt out of, request deletion of, or export. To remove all app-stored data from your device: - **ScarfGo**: delete the app. iOS purges the Keychain group + app container. -- **Scarf**: delete the app and the `~/Library/Containers/com.scarf` directory (the app is sandboxed; this is the only on-disk data). +- **Scarf**: delete `Scarf.app` from `/Applications`, then optionally remove `~/Library/Caches/scarf/` (remote SQLite snapshots), `~/Library/Preferences/com.scarf.app.plist` (server registry + preferences), and `~/Library/Application Support/com.scarf/` (skill snapshots). Your Hermes host's data (`~/.hermes/`) stays untouched — that's yours to manage.