Your data.
Your machine.
Their browser.

Peer-to-Peer-to-People.
The Sovereignty Principle, in one command.

Sensitive data can't leave the site.
But analysis is collaborative.

  • Healthcare, legal, finance — uploading a KLS to someone else's cloud is simply not an option. Legal weight.
  • But the CFO wants headline numbers on their iPad — and the consultant reviews from Zurich, and the auditor verifies from Bern.
  • These people are rarely in the same room — or on the same network, or willing to install software.
  • Traditional tools force a choice — upload everything to the cloud, or stay local and lonely. P2P2P refuses the choice.

KLS stays on your machine.
Explorer becomes a query router.

On Your Machine
The proxy opens the KLS read-only.
A Cloudflare Tunnel punches through NAT.
SQL whitelist blocks writes.

Your data. Never leaves.
In the Cloud
Explorer renders the UI.
Routes queries through the tunnel.
Stores nothing — pass-through only.

The UI. Horizontally scalable.
In Their Browser
CFO, auditor, consultant.
Click the URL, browse findings.
No login, no install.

The insight. Delivered.

Build. Share. Unplug.

Build
jinflow make
KLS lives on your machine.
Nothing uploaded.
Share
jinflow-proxy --tunnel
Get a URL.
Send it to whoever needs it.
Unplug
Ctrl+C.
Data disappears
from the internet. Instantly.

No R2 credentials. No bucket policies. No revocation latency.
The proxy is running only as long as you want it to be.

The decision is physical, not administrative.

  • You don't revoke a permission — you unplug. Ctrl+C removes the data from the internet. Revocation latency is zero.
  • KLS opened read-only. SQL whitelist: SELECT / WITH / SHOW / DESCRIBE / PRAGMA only. Writes are blocked at the transport layer.
  • Explorer stores nothing. Query results pass through — they are never written to disk. The proxy directory is in-memory and wiped on restart.
  • Cloudflare Tunnel = HTTPS. TLS everywhere. Tunnel URLs are random subdomains; for production, named tunnels with access policies.

Data sovereignty = the owner decides, moment by moment.

Stealth mode. Identified mode.
You choose, per session.

Stealth (default)
No login, no account, no trace. Click the URL, browse.
Lowest-friction path to value. Answers "what does this do?" before asking "who are you?"
Identified (opt-in)
GitHub OAuth. Unlocks notebook, bookmarks, audit trail.
For regulatory reviews, consulting engagements, audit-grade sessions.
The owner decides
jinflow-proxy --tunnel (stealth)
jinflow-proxy --tunnel --require-auth (identified)
One flag flips the trust model.
Capabilities are unified
Same requireCapability() system across all deployment modes.
The code paths converge. The only variable is how identity is established.

P2P2P is not always-on.
That is the feature, not the limit.

Cloud (R2)
Data in a bucket.
Encrypted at rest.
IAM policies, bucket ACLs.
Revocation: minutes.

Always on. Data in cloud.
P2P2P
Data on your machine.
Physical access control.
Ctrl+C revokes everything.
Revocation: instant.

On when you say so.
Both can coexist
The tenant picker shows both.
Non-sensitive tenants in R2,
sensitive tenants via proxy.

Same UI. Same queries.

Browser → Explorer → Tunnel → KLS → Back.

Browser
CFO, auditor
Explorer
renders UI
Tunnel
TLS
Your KLS
read-only

The Explorer stores nothing. The tunnel is stateless.
Your KLS answers queries from your machine. Results travel back the same way.

No replication. No caching. No persistence outside your house.

Your data.
Your machine.
Their browser.

Your hospital's data never leaves your server room.
But your CFO, consultant, and auditor all see live findings.
All at the same time. All through a single URL.

Close the laptop. The data vanishes from the internet. Instantly.

jinflow.io