Repository artifacts
Specs, planning, readiness, implementation summaries, reconciliation, and validation evidence are repository-visible files. Normal CLI use does not upload those artifacts to the website.
Local-first privacy
Day Shift stores workflow evidence in repository artifacts and verifies signed license files locally. Website/server responsibilities are limited to downloads, documentation, purchase, license delivery, recovery, and authenticated customer operations.
Specs, planning, readiness, implementation summaries, reconciliation, and validation evidence are repository-visible files. Normal CLI use does not upload those artifacts to the website.
The website publishes release-pipeline-produced downloads, release notes, checksums, and manifests, and links to the separate canonical documentation application.
Stripe secrets, webhook payloads, customer records, license signing keys, recovery evidence, and support identity records belong behind server-only boundaries.
After installation, normal CLI behavior and signed license verification are local-first and offline-capable. Online activation is not required for normal use.
Implemented controls keep normal workflow artifacts and signed-license verification local, keep payment and signing material behind server-only routes, and publish release checksums for buyer verification. These boundaries are not a certification, security guarantee, or claim that every environment is compatible.