QX QX Flow Back to app
Open-source verification layer

Audit the local-processing claim yourself.

Trust Checker is a small, open-source verification tool for auditing whether QX Flow processes files locally in the browser without uploading raw file data to a backend.

View GitHub repository Open project README

What it captures

  • Every network request during an audit window.
  • In-page file selection and memory-read hooks.
  • Optional browser-session recording as a timestamped video artifact.
  • A plain-text report plus JSON evidence files.

What this version delivers

  • CLI mode for technical users who want source code, terminal control, and raw evidence files.
  • Local GUI mode for business users who prefer a button-based flow without touching code after startup.
  • Both modes share the same audit core in ./trust-checker-core.js.
Pass criteria
No data upload detected

No upload-like request body and no POST, PUT, PATCH, or DELETE request seen in the audit window.

No API calls during file processing

No XHR, fetch, websocket, or /api/ request seen during the observed file-processing window.

File only processed in browser memory

A file-selection event and at least one FileReader or Blob memory-read event are observed, with no upload-like request.

No data stored on cloud

No remote upload-like request is observed.

Important boundary

Same-origin control-plane requests such as auth bootstrap, license key fetches, payment or version bootstrap, and analytics beacons are still recorded into evidence files, but they are not treated as file-upload failures.

If one evidence point cannot be proven from the captured hooks, Trust Checker reports it as INFO, not WARN. That means the result is inconclusive for that single point, not that risky behavior was detected.

Recommended audit procedure

Trust Checker lives on GitHub and is designed to help security reviewers, IT teams, and decision-makers verify the browser-observable boundary themselves.