On your disk, at ~/brain/. A normal folder of markdown files and a .git/ directory. Nothing more.

If you configure a remote, it's a git repo you own on a host you choose:

• GitHub private repo (recommended for most)
• GitLab private / self-hosted
• Gitea / Forgejo self-hosted
• Bare ssh remote on your own server

JOBrain has no server. There's no telemetry, no analytics, no callhome.

Don't store secrets in plain text. That includes:

• API keys, access tokens, OAuth credentials
• Private keys (SSH, GPG, TLS)
• Passwords
• Full credit card / SSN / PII

Your brain syncs to a git remote. Even private repos have failure modes (accidental public fork, compromised GitHub token, subpoena). Treat brain files as "sensitive but not catastrophic if leaked."

An opt-in brain encrypt command will wrap selected paths with git-crypt, so specific files (e.g. ~/brain/memory/private/) are encrypted at rest in the remote but decrypted locally via your key.

Until Phase 2, if you need encryption now:

cd ~/brain
git-crypt init
echo "memory/private/**" > .gitattributes
echo "memory/private/** filter=git-crypt diff=git-crypt" >> .gitattributes

If a machine gets compromised:

1. Rotate any secrets stored outside the brain (API keys, tokens).
2. On a clean machine, git push --force a sanitized history if needed.
3. brain unlink <harness> on the compromised machine if you can still reach it; otherwise revoke the machine's git credentials.
4. Your brain survives. Credentials get rotated. That's the drill.