AI Context And Privacy

Scritorio’s trust model depends on explicit context control.

Privacy Principles

  • Projects live locally by default.
  • No server account is required for local use.
  • No background uploads.
  • AI calls require explicit author action.
  • The author can inspect context before sending.
  • The author can exclude files or passages.
  • Local/BYOK API keys are stored locally when that mode is active.
  • Managed AI provider keys are stored only in backend secrets.
  • Reports and generated assets are saved locally.

Account-Aware Managed AI

Scritorio can run AI in a managed mode where the desktop app sends a Supabase-authenticated feature request to Scritorio’s Cloudflare Worker gateway. In managed mode:
  • the app sends the user’s Supabase access token, not a provider API key
  • the Worker verifies the token through Supabase JWKS
  • the Worker derives user identity from the verified token
  • the Worker chooses the approved model, prompt, and response shape
  • the Worker logs usage metadata to Supabase
  • manuscript text is sent to the model provider for the explicit request but is not stored in the usage ledger
This preserves the local-first project model while allowing account-based quota, usage tracking, and future paid managed AI plans.

Context Preview

Before sending an AI request, Scritorio should let the author inspect the prompt where that is useful. For Editorial Board chat, Peek Prompt shows the persona, context label, managed AI routing, available tools, and the actual next request messages. When the request continues an OpenAI Responses API thread, the preview should not imply that prior assistant text is resent verbatim. It should show the previous_response_id and summarize the local visible transcript separately from the actual next request. For context-heavy AI features, Scritorio should show:
  • selected manuscript text
  • selected notes, sources, canon, or prior summaries
  • selected persona or editor mode
  • destination provider
  • purpose of the request
The author should be able to remove context from the request. For advisor chat, manuscript prose is usually not injected into the initial prompt. The model receives metadata anchors and must call get_manuscript_context for current, selected, or referenced prose. Tool-call evidence and app logs should store compact metadata such as path, title, word count, and lookup status, not full manuscript bodies.

Mode Separation

Blind reader mode and context-aware editor mode must not be mixed accidentally. Blind reader mode should only receive the manuscript text selected for the test. Context-aware editor mode may receive selected project notes, canon, source notes, timelines, and prior summaries.

Fiction Context

Fiction context may include:
  • character dossiers
  • character soul.md files for in-character chat
  • location notes
  • world rules
  • timelines
  • prior scene summaries
  • style guides
Character soul context should be treated as a voice and stance layer, not as unrestricted permission to invent project facts. If a character conversation produces a useful new fact, Scritorio should save it only as an author-reviewable note or canon proposal.

Nonfiction Context

Nonfiction context may include:
  • source notes
  • citations
  • research excerpts
  • outlines
  • claim lists
  • chapter summaries
  • audience notes

Visual Context

Visual generation may require source text, notes, or diagrams. This context must be previewed before being sent to an image provider. Visual prompts and generated assets should be saved locally for traceability.