I wrote up the architectural decisions behind SaneApps, specifically how I ensured nothing phones home, even in SaneSales which needs to connect to Stripe/Gumroad/LemonSqueezy APIs.

The interesting constraint: all API calls happen from the user's machine directly, never proxied through my servers. This was harder than it sounds, it required careful entitlement management and a specific sandboxing approach.

[link to full post on saneapps.com/guides]