If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Email: security@star.ga
3. Include: description, reproduction steps, impact assessment
4. Expected response time: 48 hours

We aim to release a fix within 7 days for critical issues.

mind-mem is a local-first library that operates entirely on the user's filesystem. It has no network listeners in its default configuration (stdio MCP transport). The optional HTTP transport binds to 127.0.0.1 by default.

• All workspace data stored locally (no cloud sync by default)
• File-level locking prevents concurrent corruption
• Content hashes verify data integrity

All external inputs are validated at system boundaries:

• File paths: _safe_resolve() in apply_engine.py resolves paths within the workspace and rejects any that escape via .. or symlinks. Used by the governance engine before writing any file.
• Tar extraction: _is_safe_tar_member() in backup_restore.py validates every tar member before extraction — rejects absolute paths, directory traversal, symlinks, hardlinks, and device files.
• Block IDs: Validated against [A-Z]+-[A-Za-z0-9-]+ pattern. IDs containing path separators or special characters are rejected.
• SQL queries: FTS5 queries use parameterized statements (SQL injection safe). No user input is ever interpolated into SQL strings.
• Path traversal prevention: via _safe_resolve()
• Configuration values: clamped to safe ranges
• MCP tool inputs: All tool parameters are validated by the FastMCP schema layer before reaching handler functions.

• Zero external dependencies in core — the recall engine, governance pipeline, and all core modules use only Python 3.10+ stdlib (sqlite3, json, hashlib, os, re, argparse, fcntl/msvcrt).
• Optional dependencies are clearly documented and isolated: sentence-transformers (vector search), onnxruntime (ONNX embeddings), fastmcp (MCP server). None are required for core functionality.
• No dependency on eval(), exec(), pickle, subprocess with shell=True, or any code execution primitives in the data path.
• Dependabot monitors for known vulnerabilities

• Advisory file locks: MindFileLock (mind_filelock.py) provides cross-platform locking using fcntl.flock() on Unix and msvcrt.locking() on Windows. Stale locks are detected via PID liveness checks.
• SQLite WAL mode: All database connections use PRAGMA journal_mode=WAL for concurrent readers, PRAGMA busy_timeout=3000 for writer contention, and timeout=5 on sqlite3.connect(). The ConnectionManager (v1.8.0+) provides thread-local read connections with PRAGMA query_only=ON and a single serialized writer protected by threading.Lock.
• Atomic writes: Apply engine writes to temp files then renames, preventing partial writes on crash.

• Governance mode defaults to detect_only (read-only analysis, no automatic changes)
• HTTP transport binds to 127.0.0.1 only (no external network exposure)
• Token auth is enforced when MIND_MEM_TOKEN is set; unauthenticated requests are rejected
• Proposal budget limits prevent runaway automation: 3 proposals per run, 6 per day, 30 backlog max
• File watcher debounces at 2 seconds to prevent resource exhaustion from rapid file changes

This project has been self-audited against the following:

• OWASP Top 10 for LLM Applications (2025)
• No eval()/exec()/pickle in data paths
• No shell=True subprocess calls
• All SQL queries parameterized
• All file paths validated against traversal
• All tar/archive extraction validated against zip-slip
• Concurrent access protected (file locks + SQLite WAL)
• No hardcoded credentials or secrets
• Token auth on HTTP transport
• Rate limiting via proposal budgets