Security by Default: Why Code Should Stay Local

Originally published at orquesta.live/blog/security-by-default-why-code-should-stay-local-2026-06-07

The Imperative of Local Code Execution

When it comes to developing and deploying software, maintaining control over your codebase is paramount. While cloud sandboxes offer convenience and scalability, they introduce significant security vulnerabilities. At Orquesta, we’ve taken a different approach by prioritizing local execution, where every line of code stays within your infrastructure.

Control and Security

One of the foundational aspects of Orquesta is that our AI agents run on your machine, not in the cloud. This means your code never leaves your infrastructure, eliminating the risk of interception or unauthorized access during transmission.

• AES-256 Encryption: We employ AES-256 encryption for credentials, ensuring that sensitive information remains secure within your local environment.
• Full Audit Trails: Every action, prompt, and output is logged. This granular level of detail provides comprehensive audit trails, allowing you to trace changes and understand the actions of each agent.

Why Cloud Isn’t Always the Answer

Cloud sandboxes can be a double-edged sword. They offer the allure of simplicity and reduced local resource usage but often at the expense of security:

• Data Leakage Risks: Transmitting code to the cloud invariably increases the attack surface. Even with encrypted channels, the potential for data leakage remains a concern.
• Third-party Dependencies: Trusting third-party services with your code introduces another layer of potential vulnerabilities.

The Orquesta Approach

Our architecture is built around the principle that security should be the default. Here's how we do it:

Local AI Agent

The Orquesta AI agent uses Claude CLI running on your local machine. This ensures that every operation, from generating code to creating pull requests and deployments, happens within your secure perimeter.

# Example of running Claude CLI locally
orquesta agent start --local

Quality Gates and Team Collaboration

We understand that in a team environment, it’s crucial to have checks and balances:

• Quality Gates: Before any code change is executed, it passes through quality gates where simulated changes are reviewed.
• Team Sign-off: Team leads have the opportunity to review and sign off on changes, adding an extra layer of oversight.

Collaboration Without Compromise

With Orquesta, you can invite team members to submit prompts and collaborate without compromising security. Role-based permissions allow granular access control, ensuring that team members can only perform actions they're authorized to.

The Embedded Security of CLAUDE.md

We enforce coding standards on every agent execution through our CLAUDE.md sync. This ensures that every piece of code adheres to your organization's best practices, further reducing the risk of security vulnerabilities.

Comprehensive Monitoring

Our Agent Grid feature allows you to monitor dozens of agents from a single screen, each with live terminals streaming in real-time. This visibility means you can spot irregularities as they happen, rather than after the fact.

Conclusion

Keeping code local is more than a technical choice; it’s a commitment to security and control. At Orquesta, we’ve seen firsthand the advantages of this approach, providing teams with the tools they need to safeguard their code without sacrificing collaboration or efficiency.

Ultimately, local execution isn’t just a matter of preference—it’s a necessity in a landscape where threats are continuously evolving. By ensuring that your code stays within your infrastructure, you’re taking a proactive stance in protecting what matters most.