Security & permissions
Pane is local-first by default and AGPL-3.0. Remote Pane uses your self-hosted daemon. Agents keep their own permission models.
Pane runs on your machine. Your code never leaves your machine because of Pane. It only leaves when the agents you run (Claude Code, Codex, Aider, etc.) send context to their providers. Pane is a terminal host, not a proxy.
What Pane does NOT do
- Does NOT sandbox the agent process. The agent runs with your full shell permissions.
- Does NOT proxy AI API requests. Requests go directly from the agent to the provider.
- Does NOT see agent prompts, completions, or file contents the agent reads or writes.
- Does NOT run a cloud service. Remote Pane connects to a daemon you install on your own machine.
Local-first by default
There’s no Pane backend and no cloud sync. Your repos and worktrees live exactly where you put them on disk. Opening a pane doesn’t upload your code anywhere.
Remote Pane is opt-in. When you connect to a VM, WSL box, or another machine, everything runs on that remote host through your self-hosted daemon. The desktop app or browser app at runpane.com/app connects with a pane-remote://... code from Settings > Remote Pane. Your code stays on that host. Pane still doesn’t touch API requests.
Remote Pane is free and open source. There’s no hosted backend or subscription. You provide the machine and any provider credentials your agents need.
Open source, AGPL-3.0
Pane’s source is at github.com/dcouple/Pane . You can audit it, fork it, or build on it. AGPL-3.0 means network-served derivatives stay open source under the same license.
Telemetry
Pane uses PostHog for anonymous product analytics. Here’s what gets collected:
- Which features are used (pane creation, agent launch, keyboard shortcuts)
- Basic OS and app version
- Page views on runpane.com
Here’s what’s never sent:
- File contents or code from your repos
- Agent prompts or responses
- API keys or secrets
- File paths beyond worktree names
To opt out: Settings > Privacy > Disable analytics.
Agent permissions
Pane doesn’t add or remove permissions on top of the agent. Each agent has its own permission model: Claude Code uses .claude/settings.json, Codex has its own approval prompts, Aider has confirmation flags, and so on. Those work the same inside a Pane terminal as they do in any standalone terminal. Configure permissions in the agent itself.
Worktree isolation
Agents in one pane can’t read another pane’s worktree files unless you explicitly pass a cross-worktree path. Different working directories means different file-scope defaults for each agent. This is a soft boundary based on working-directory conventions, not a kernel-level sandbox.
Remote daemon security
Treat connection codes and bearer tokens like SSH private keys. Never paste them in public channels.
Remote Pane authenticates every connection with a bearer token embedded in the pane-remote://... code. The token is generated on the host during setup and gives full session control to whoever holds it.
Encryption: Tailscale wraps the connection in WireGuard encryption. No ports are opened on the host. When Tailscale isn’t available, the SSH tunnel fallback provides AES-256 encryption with the daemon bound to loopback only.
Rotating tokens: Run pane --remote-setup on the host to rotate. Revoking a client in Settings > Remote Pane invalidates that client’s token immediately.
Connected devices: The host shows every connected client by device label. You can disconnect or revoke any client from Settings > Remote Pane.
Data isolation: Each data mode (Current Pane Data vs Isolated Daemon Data) uses separate databases and worktree directories. Sessions don’t cross mode boundaries.
For remote browser voice dictation, the daemon host uses voice provider keys from Settings > Voice Transcription or host environment variables. Live streaming uses Deepgram plus OpenRouter. Batch recorded transcription uses Fal plus OpenRouter.
Reporting a vulnerability
Email hi@runpane.com with subject line [SECURITY]. We’ll acknowledge within 48 hours and reach a disclosure decision within 14 days.