Why local-first belongs in the Charter
Cognitive liberty is not only a legal promise. It is an architecture. Prompt logs, pasted system summaries, private drafts, legal questions, browser diagnostics, source records, and persona files become surveillance surfaces when they are sent to remote systems by default.
The browser-local reports show a practical path: deterministic rules, local storage, service workers, WebAssembly, local vector search, finite-state matching, and optional local models can produce serious triage without turning every prompt into a server-side record.
No prompt leaves by default.
Local pipeline
| Layer | Recommended approach | Cognitive-liberty reason |
|---|
| Input | Sanitize and process in browser memory. | Avoid unnecessary disclosure of private notes. |
| Pattern detection | Deterministic dictionaries and finite-state matching. | Make classification inspectable. |
| Semantic search | Local embeddings or precomputed vectors. | Avoid remote inference over sensitive text. |
| Rules | Deterministic JSON/YAML rule engine. | Keep the model from becoming the judge. |
| Storage | IndexedDB, OPFS, SQLite-Wasm, export packets. | User-held records and rollback. |
| Network | Opt-in only, visible payload preview. | Consent must be specific and revocable. |
Design prohibition
A local diagnostic may evaluate a use case, system risk, route, or artifact. It must not create a hidden user profile, moral score, future-danger label, trustworthiness grade, or reportable-topic record.
If remote assistance is enabled, the system should show exactly what will be sent, redact where possible, retain a local audit record, and provide a permanent off switch.
Mini manifest
{
"tool": "browser-local-sovereign-tool",
"defaults": {
"network": "off",
"prompt_retention": "local_only",
"person_judgment": "prohibited",
"source_mutation": "prohibited"
},
"user_controls": [
"export",
"delete",
"rollback",
"view_payload_before_remote_call"
]
}
