How it runs

Local scans, explicit scope, and no private key collection.

PubKeySpace separates home identity surfaces from repository workspace checks, then turns findings into local remediation guidance or signed team reports.

Request alpha access Back to docs

Scan scope

Home identity surfaces are separate from repository checks.

Home identity surfaces

SSH public key metadata, global Git signing configuration, GPG public key inventory, MCP config metadata, and passkey review surfaces.

Repository workspaces

User-selected folders for Git repository discovery and repository-specific checks. The desktop app does not silently treat app-support storage as a code workspace.

Data boundary

Reports are posture metadata, not a credential dump.

Reports are designed to include metadata, public fingerprints, file paths, ages, permissions, and finding details.

Reports are designed not to include private key contents, token values, MCP environment secret values, or secret values.

Team upload is opt-in and uses signed report bundles for collector workflows.

App Store impact

The Mac App Store would change the product shape.

Direct download and MDM

Developer ID signed and notarized distribution gives PubKeySpace the flexibility needed for CLI helpers, local sidecars, managed packages, and organization rollout.

Mac App Store

The App Store can improve solo-user trust and discovery, but sandboxing makes background collection, helper tools, CLI installs, and broad local inspection more constrained.

Recommended frequency

Check often enough to catch drift, not so often it feels invasive.

Inventory scan: every 24 hours by default
Collector heartbeat: every 1-4 hours
Update check: on launch and daily
Manual rescan: always available