π©Ί Vitals
- π¦ Version: v0.44.0 (Released 2026-04-29)
- π Velocity: Active (Last commit 2026-05-01)
- π Community: 20.2k Stars Β· 2.4k Forks
- π Backlog: 282 Open Issues
ποΈ Profile
- Official: dyad.sh
- Source: github.com/dyad-sh/dyad
- License: Apache 2.0 (Core) | FSL 1.1 (Pro)
- Deployment: Desktop App | Docker
- Data Model: Local SQLite / Local Files
- Jurisdiction: United States πΊπΈ (Dyad Tech, Inc.) | United Kingdom π¬π§ (Dyad AI Ltd.)
- Compliance (SaaS): GDPR | UK GDPR
- Compliance (Self-Hosted): HIPAA Eligible | GDPR Ready | ISO 27001 Ready
- Complexity: Low (1/5) - Desktop Installer / Docker
- Maintenance: Low (1/5) - Local binary / container updates
- Enterprise Ready: High (4/5) - Local-first architecture enables secure BYOK
1. The Executive Summary
What is it? Dyad is an autonomous AI coding agent and application builder designed as a secure, local-first alternative to cloud-hosted tools like Bolt.new or Replit. By operating primarily on the developer's local machine and supporting "Bring Your Own Key" (BYOK) model connectivity (e.g., Azure OpenAI), it ensures that proprietary source code and sensitive prompts remain within the organization's secure perimeter.
The Strategic Verdict:
- π΄ For Hosted Pro/Max Credits: Caution. For teams using Dyadβs hosted AI credits rather than BYOK, data is proxied through their servers. While encrypted and non-training, it represents a cloud transit point for organizations with strict "No-Cloud" mandates.
- π’ For Engineering Governance: Strong Buy (BYOK Mode). By enforcing corporate API keys within Dyad's local-first architecture, organizations can empower developers with autonomous AI building capabilities while maintaining 100% data sovereignty and preventing IP leaks.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Bolt.new (SaaS) | Dyad (Self-Hosted) |
|---|---|---|
| User Seat Fee | ~$20+/user/mo | $0 (Apache 2.0 Core) |
| Model API Cost | Bundled (Opaque) | Direct (Pay-per-token) |
| Data Residency | Vendor-Dependent | Local (Zero Exposure) |
| IP Protection | Shared Responsibility | Full Local Ownership |
3. The "Day 2" Reality Check
π Deployment & Operations
- Installation: Available as a standard desktop application (macOS/Windows/Linux) or via Docker for centralized team environments. Its local-first design ensures high responsiveness and offline capability.
- Interoperability: Output is standard React/TypeScript code. Projects are stored in standard local directories, ensuring they can be opened in any IDE (Cursor, VS Code) or deployed to any provider (Vercel, Netlify) without vendor lock-in.
π‘οΈ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics: Dyad Tech, Inc. is a US-based entity (Boston), with a UK subsidiary (London) registered with the ICO (ZB613404). This dual-jurisdiction footprint provides a familiar legal framework for Western enterprises. Self-hosting via BYOK mode mitigates US cloud jurisdiction concerns (e.g., the CLOUD Act) as code never leaves the local disk.
- The Compliance Shift: Using the local-first application facilitates HIPAA and GDPR compliance by keeping data on-premise. However, the "Shared Responsibility" model shifts to the user: your IT team is responsible for securing the local device, managing API key rotation, and ensuring the underlying OS is patched.
- The License Risk (FSL-1.1): While the core is Apache 2.0, advanced "Pro" features (like Agent Mode and Smart Context) are licensed under FSL 1.1. This restricts "Competing Use" (you cannot sell a competing AI app builder based on Dyad's Pro code), but allows for full internal enterprise use and modification.
4. Market Landscape
π’ Proprietary Incumbents
- Bolt.new: Leading "one-prompt" app builder but strictly cloud-hosted, creating high IP risk for enterprise codebases.
- Replit Agent: Highly integrated but locks the organization into the Replit cloud ecosystem and data policies.