OpenKnowledge

What OpenKnowledge writes to your system

Every file OpenKnowledge creates or changes — when, where, in-project vs. your home directory — plus the opt-outs and what leaves your machine (nothing by default).

OpenKnowledge keeps your knowledge base as plain markdown in your own project directory, but the tooling around it — the CLI, the MCP server, and the desktop app — also writes a handful of supporting files, some of them outside the project, in your home directory, your shell startup files, your editors' configs, and the macOS Keychain.

This page lists every one of them: when each write happens, what it is, and where it lands. Everything here is verified against the source.

The short version

Nothing leaves your machine by default. Diagnostic logs and telemetry are local-only — there's no usage phone-home. The handful of things that can send data off your machine — semantic search, a diagnostic bundle, GitHub sync, and the desktop app's update check — are opt-in or on-demand, except the desktop app's update check, which runs automatically on launch. All of them are listed under What leaves your machine.

How to read this page

Writes fall into two buckets, and each table's Scope column tells you which:

  • In-project — inside your project folder. Either committed (shared through git with your team) or gitignored (this machine only, under .ok/local/ or .git/).
  • Outside-project — your home directory (~/.ok/, ~/Library/...), your shell startup files (~/.zshrc and friends), your editors' user-level configs, or the macOS Keychain.

There are five moments OpenKnowledge writes to disk: installing the package, ok init, ok start, ok mcp, and the desktop app. Jump to the opt-outs if that's all you need.

When you install the package

Installing @inkeep/open-knowledge from npm (or invoking it with npx) drops the two CLI binaries plus a bundled native addon, and runs a postinstall step that registers a small "discovery" skill so the AI editors on your machine know OpenKnowledge exists.

PathWhat it isScope
ok, open-knowledge (on your PATH)The two CLI binaries (identical entry point)Outside-project (npm global/bin)
<pkg>/dist/native/Bundled native TOML-editing addon, shipped inside the packageOutside-project (package dir)
~/.agents/skills/open-knowledge-discovery/The discovery skill — a short instruction file that teaches any agent host how to find and initialize OpenKnowledge. Installed via npx skills add … --agent '*' -gOutside-project (home dir)
~/.ok/skill-state.ymlRecords which skill version is installed, so the step is skipped next timeOutside-project (home dir)
~/.ok/skill-install-events.jsonlAppend-only local log of skill-install attemptsOutside-project (home dir)

The postinstall step is non-fatal (install always succeeds even if it fails) and version-gated (it does nothing if the current version is already installed). It writes only the discovery skill into the shared ~/.agents/skills/ directory; it does not touch your editors' individual skill folders. The only network access is npm fetching the skills helper.

Opt out

Install with npm install --ignore-scripts to skip the postinstall skill step entirely. You can always add the skills later from ok init.

ok init

ok init turns a folder into an OpenKnowledge project. It scaffolds the project's .ok/ directory, and — unless you pass --no-mcp — registers the open-knowledge MCP server with the AI editors it detects. The MCP registration is surgical: it adds only its own entry and leaves your other settings, comments, and formatting byte-for-byte intact (if a config can't be parsed safely, it's left untouched and reported).

In-project (this project)

PathWhat it isScope
.ok/, .ok/config.ymlProject directory and its configIn-project, committed
.ok/.gitignoreKeeps machine-local runtime state (local/, principal.json, server.lock, …) out of gitIn-project, committed
.okignorePaths excluded from the editor, search, and agents — see Ignore patternsIn-project, committed
.gitignore (project root)Seeded (with .DS_Store) only when ok init creates a new git repoIn-project, committed
.mcp.json, .cursor/mcp.json, .codex/config.toml, opencode.jsonProject-scoped MCP registration, one per detected editor (with --scope project or both)In-project, committed
.claude/skills/, .cursor/skills/, .codex/skills/, .opencode/skills/Project-local "rich" OpenKnowledge skill (SKILL.md), one per detected editorIn-project, committed
.claude/launch.jsonConfigures Claude Code's preview pane to open the editor (on a local UI port, 39848)In-project, committed

Outside-project (user-level editor configs)

With --scope user or both (the default), ok init also registers the open-knowledge MCP server in each detected editor's user-level config, so it's available in every project:

PathEditorScope
~/.claude.jsonClaude CodeOutside-project (editor config)
~/Library/Application Support/Claude/claude_desktop_config.jsonClaude DesktopOutside-project (editor config)
~/.cursor/mcp.jsonCursorOutside-project (editor config)
~/.codex/config.tomlCodexOutside-project (editor config)
~/.config/opencode/opencode.jsonOpenCodeOutside-project (editor config)

ok init also re-runs the user-global skill install (the discovery skill above) and, if you choose local-only sharing, adds the OpenKnowledge paths to .git/info/exclude so .ok/ stays off your remote.

Controlling it

  • --no-mcp — scaffold .ok/ only; register nothing with any editor.
  • --scope user | project | both — where the MCP entry is written. In an interactive terminal, ok init prompts for this; scripted/CI runs default to both, so pass the flag to constrain them.
  • --local-only (vs --shared) — keep .ok/ out of git.

ok start

ok start runs the collaboration server. Most of what it writes stays inside your project, gitignored under .ok/local/, plus a shadow git repo for the timeline and recovery features. It also runs a few repair sweeps on each boot that can touch files outside the project — see below.

PathWhat it isScope
.ok/local/server.lock, .ok/local/ui.lockAdvertise the running server's and web UI's portsIn-project, gitignored
.ok/local/principal.jsonYour local identity (id, email) for edit attributionIn-project, gitignored
.ok/local/sync-state.json, .ok/local/conflicts.jsonGitHub-sync engine stateIn-project, gitignored
.ok/local/state.json, .ok/local/last-spawn-error.logState-schema manifest and the UI sibling's error logIn-project, gitignored
.ok/local/telemetry/spans-*.jsonlLocal diagnostic spans, rotated at ~50 MBIn-project, gitignored
.ok/local/logs/server-*.jsonlLocal server logs, rotated at ~25 MBIn-project, gitignored
.ok/local/cache/<branch>/backlinks.jsonBacklink-graph cacheIn-project, gitignored
.git/ok/Shadow git repo holding per-writer work-in-progress refs (powers the timeline)In-project, gitignored (inside .git/)

Diagnostic logs and telemetry are on by default but local-only — credential-bearing attributes are redacted ([REDACTED]) before anything is written, the files rotate at the size caps above, and nothing leaves the machine until you explicitly run ok diagnose bundle. Turn the local sink off entirely with telemetry.localSink.enabled: false; see Configuration.

Repair sweeps

On each boot, ok start also re-checks a few things that drift as OpenKnowledge updates and rewrites any that have fallen out of the current canonical form — a no-op when nothing has changed. These sweeps only update entries that already exist; they never add one where there wasn't one.

What it re-checksWhereScope
Existing open-knowledge MCP entriesThe same editor configs ok init writes — both user-level (~/.claude.json, ~/.cursor/mcp.json, …) and project-levelOutside-project (editor config) and in-project
.claude/launch.jsonYour projectIn-project, committed
OpenKnowledge skill filesProject (.claude/skills/…) and user-global (~/.agents/skills/…)In-project and outside-project (home dir)

These are the same sweeps the desktop app runs. Disable all three with OK_RECLAIM_DISABLE=1.

ok mcp

ok mcp is the stdio bridge your editor spawns to talk to the server. It writes nothing to disk — it routes tool calls to a running ok start backend (starting one on the first write).

OK Desktop (macOS app)

The packaged macOS app writes some app-level state and logs, and — because a .dmg app can't put a CLI on your PATH on its own — it manages a PATH shim and shell startup entries so ok works in your terminal too. All of the shell and PATH behavior below is macOS-only, packaged-build-only, and disabled by OK_RECLAIM_DISABLE=1. It never uses sudo, never runs an admin prompt, and never installs a login item.

App data, logs, and updates

PathWhat it isScope
~/Library/Application Support/OpenKnowledge/state.jsonRecent projects, window/view state, update channelOutside-project (home dir)
~/Library/Application Support/OpenKnowledge/path-install.jsonRecords the PATH/shell changes it made, so they can be revertedOutside-project (home dir)
~/.ok/logs/desktop.<date>.logDesktop app + renderer logOutside-project (home dir)
~/.ok/mcp-status.jsonRecords your first-launch MCP-setup consent choiceOutside-project (home dir)
~/Library/Caches/OpenKnowledge-updater/Staged auto-update downloads (electron-updater)Outside-project (home dir)

The app registers the openknowledge:// URL scheme (for deep links) and checks for updates against the OpenKnowledge GitHub releases feed. Updates are not downloaded automatically until you choose to update; they install on the next quit. Override the feed with OK_UPDATER_FEED_URL.

Shell and PATH

PathWhat it isScope
~/.ok/bin/ok, ~/.ok/bin/open-knowledgeSymlinks to the CLI bundled inside the appOutside-project (home dir)
~/.ok/env.shA managed shim that prepends ~/.ok/bin to your PATHOutside-project (home dir)
~/.zshrc, ~/.bash_profile, ~/.config/fish/conf.d/open-knowledge.fishA fenced managed block that sources ~/.ok/env.shOutside-project (shell config)

The managed block is clearly fenced so you can see and remove it:

# >>> open-knowledge cli >>>
[ -f "$HOME/.ok/env.sh" ] && . "$HOME/.ok/env.sh"
# <<< open-knowledge cli <<<

Delete the block and the app won't re-add it — the removal is recorded and respected. Or set OK_RECLAIM_DISABLE=1 to disable all of this before first launch.

Keeping MCP entries current

On each launch (and on each project open), the app runs the same repair sweeps as ok start — rewriting existing open-knowledge MCP entries, .claude/launch.json, and skill files to the current canonical form, and never adding an entry to an editor that doesn't already have one. On a project open it also rewrites an existing open-knowledge entry in that project's .vscode/settings.json. This keeps a working setup from drifting as the app updates, and is covered by the same first-launch consent and the OK_RECLAIM_DISABLE=1 opt-out.

Your home directory and credentials (~/.ok/)

Pulling the home-directory writes together — this is everything that can live under ~/.ok/, across all of the above:

PathWhat it isSensitive?
~/.ok/global.ymlUser-global config (applies to every project)No
~/.ok/secrets.ymlEmbeddings provider API key for semantic search, if you set one. Written 0600; never in config.ymlYes (0600)
~/.ok/auth.ymlAuth-token fallback, used only when the Keychain is unavailable. Written 0600Yes (0600)
~/.ok/skill-state.yml, ~/.ok/skill-install-events.jsonlSkill-install bookkeepingNo
~/.ok/stats.jsonlLocal "open with AI" handoff stats — local-only, no phone-homeNo
~/.ok/mcp-status.jsonDesktop first-launch MCP consent recordNo
~/.ok/logs/, ~/.ok/bug-reports/Desktop logs and generated diagnostic bundlesNo
~/.ok/bin/, ~/.ok/env.shDesktop PATH shim (see above)No

Auth tokens (for GitHub sync, sharing, and cloning) are stored in the macOS Keychain under the service name open-knowledge. The ~/.ok/auth.yml file is only a fallback for headless environments where the Keychain isn't reachable; when the Keychain becomes available, the token is migrated into it and the file copy is removed.

Opt-outs in one place

To skip…Do this
The postinstall skill installnpm install --ignore-scripts
All editor MCP registration in ok initok init --no-mcp
User-level (vs project) MCP writesok init --scope project
Committing .ok/ to gitok init --local-only (or choose "local only" when prompted)
The ok start / desktop repair sweeps and the desktop app's shell / PATH changesOK_RECLAIM_DISABLE=1 (also delete the managed block from your shell config to remove the PATH entry)
Local diagnostic logs and telemetrytelemetry.localSink.enabled: false in config
Auto-starting the MCP serverOK_MCP_AUTOSTART=0

To review or reverse the footprint after the fact, ok diagnose reports what's on disk, and the desktop path-install.json records exactly which shell/PATH changes were made.

What leaves your machine

By default, nothing. Everything above is written to your own disk. The only ways data leaves your machine are these — all opt-in or on-demand, except the desktop app's update check, which is automatic:

WhatWhenWhere it goes
Diagnostic bundleOnly when you run ok diagnose bundle (you can inspect it first)Wherever you send it
Semantic search embeddingsOnly when you enable semantic search and set a key — off by defaultYour configured embeddings provider (OpenAI by default)
GitHub sync / shareWhen you sync, clone, publish, or shareGitHub
Update checkAutomatically, on desktop-app launchOpenKnowledge releases feed (GitHub)
npm/npx fetchDuring installThe npm registry

Local diagnostic logs and telemetry are scrubbed of credential-bearing attributes and never sent anywhere on their own.

See also