πŸ’‘ Explanation

Why local-first?

XTagger stores all data in your browser’s IndexedDB. There is no server, no account, and no network call to any XTagger infrastructure β€” ever. This page explains the reasoning behind that decision.

The alternative is worse than it looks

The obvious alternative is a sync backend: your tags live in a database we operate, you log in, everything syncs across devices. It sounds convenient. But it means:

  • We know who you tag and why. Your annotation of a politician as untrustworthy or a journalist as corporate shill is private opinion. A server that stores it can be subpoenaed, breached, or sold.
  • We can discontinue the service. When the server goes away, your years of careful tagging vanish. This has happened repeatedly to bookmarking services, RSS readers, and social annotation tools.
  • You depend on our security posture. A breach of our server exposes not just your email address but the full graph of your opinions about public figures.

None of these risks exist in XTagger’s model because we have nothing to breach, discontinue, or be compelled to hand over.

What local-first means in practice

Your data lives in indexedDB inside your browser profile. It is subject to the same protections as your browser history, saved passwords, and session cookies β€” encrypted at rest by your operating system, cleared when you clear browser data, portable via browser profile export.

The extension manifest requests only the permissions it needs:

  • storage β€” read and write IndexedDB
  • activeTab β€” inject the tag UI into the current page
  • contextMenus β€” add the right-click tagging option

No http://*/* host permission. No identity. No background network access.

Exports are your escape hatch. The XTAG: format is an open JSON schema with a checksum. If XTagger ceased development tomorrow, your exports would remain readable and importable by any tool that implements the same schema.

The tradeoff: no automatic sync

The one genuine cost of local-first is that your tags do not automatically appear on a second device. If you use X.com on a desktop and a laptop, you will need to export from one and import to the other when you want to sync.

We consider this an acceptable tradeoff. Implementing sync properly β€” with end-to-end encryption, zero-knowledge architecture, access controls, and audit logs β€” is a much larger surface area to get right. Doing it badly would be worse than not doing it.

Cross-device sync via an encrypted relay is on the roadmap, but it will not ship until we can do it with zero visibility into your content.

Further reading

✎ Edit this page on Forgejo