Read-only first
Discovery lists and classifies files; it does not delete, rename or upload by default.
Authorised access only
Choose exactly what BuildProof can inspect.
This area records the permission model for local folders, connected repo services and authorised hosting accounts. The private engine starts read-only and requires explicit action before any move, archive or repair packaging step.
No hidden scanningSelected sources onlyNo cloud upload by default
Selected folders only
Device discovery only scans the roots you provide in the command.
Authorised connectors only
Repo and hosting discovery require your token or CLI login.
Private reports
Full paths and sensitive findings stay in private reports unless you export a public-safe pack.
Private engine commands
Run from the local-engine folder. Tokens stay outside the public dashboard.
npm run permissions:plan
npm run discover:device -- ./chosen-folderPermission rule
Only scan folders, accounts and servers you own or have explicit permission to inspect.
Action rule
Discovery creates reports and queues. Move, delete, archive or repair actions require a separate explicit choice.
Proof rule
Private reports keep technical detail. Public-safe exports hide paths, source detail, tokens and repair internals.