vestige/SECURITY.md

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 1.1.x   | :white_check_mark: |
| 1.0.x   | :x:                |

## Reporting a Vulnerability

If you discover a security vulnerability in Vestige, please report it responsibly:

1. **DO NOT** open a public GitHub issue
2. Email the maintainer directly (see GitHub profile)
3. Include:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

You can expect a response within 48 hours.

## Security Model

### Trust Boundaries

Vestige is a **local MCP server** designed to run on your machine with your user permissions:

- **Trusted**: The MCP client (Claude Code/Desktop) that connects via stdio
- **Untrusted**: Content passed through MCP tool arguments (validated before use)

### What Vestige Does NOT Do

- ❌ Make network requests (except first-run model download from Hugging Face)
- ❌ Execute shell commands
- ❌ Access files outside its data directory
- ❌ Send telemetry or analytics
- ❌ Phone home to any server

### Data Storage

All data is stored locally in SQLite:

| Platform | Location |
|----------|----------|
| macOS | `~/Library/Application Support/com.vestige.core/vestige.db` |
| Linux | `~/.local/share/vestige/core/vestige.db` |
| Windows | `%APPDATA%\vestige\core\vestige.db` |

**Default**: Data is stored in plaintext with owner-only file permissions (0600).

### Encryption at Rest

For database-level encryption, build with SQLCipher:
```bash
cargo build --no-default-features --features encryption,embeddings,vector-search
```
Set `VESTIGE_ENCRYPTION_KEY` environment variable. SQLCipher encrypts all database files including the WAL journal. Alternatively, use OS-level encryption (FileVault, BitLocker, LUKS).

### Input Validation

All MCP tool inputs are validated:

- Content size limit: 1MB max
- Query length limit: 1000 characters
- FTS5 queries are sanitized to prevent injection
- All SQL uses parameterized queries (`params![]` macro)

### Dependencies

We use well-maintained dependencies and run `cargo audit` regularly. Current status:

- **Vulnerabilities**: 0
- **Warnings**: 2 (unmaintained transitive dependencies with no known CVEs)

## Security Checklist

- [x] No hardcoded secrets
- [x] Parameterized SQL queries
- [x] Input validation on all tools
- [x] No command injection vectors
- [x] No unsafe Rust code
- [x] Dependencies audited
fix: accurate science claims, security docs, remove hardcoded path ## Changes ### README.md - Fix FSRS-6 formula: power law (not exponential Ebbinghaus) - Correct formula: R(t,S) = (1 + factor × t/S)^(-w₂₀) - Honest "The Science" table showing what's fully implemented vs inspired - Added ✅/⚡ indicators for implementation accuracy - Transparency note about honest marketing ### demo.sh - Remove hardcoded /Users/entity002 path (security/privacy) - Use relative path with fallback: ${VESTIGE:-$(dirname "$0")/...} ### SECURITY.md (new) - Document trust model and security boundaries - Explain data storage locations - List input validation measures - Security contact process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 20:29:37 -06:00			`# Security Policy`

			`## Supported Versions`

			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
release: v1.1.3 — security hardening, edition 2024, dependency updates Security: - Fix RUSTSEC-2026-0007 (bytes integer overflow) - Restrict SQLite database file permissions to 0600 on Unix - Add 100KB size limit to intention descriptions (DoS prevention) - Redact JSON-RPC payloads from debug logs (data leakage prevention) - Update SECURITY.md with encryption docs and supported versions Modernization: - Upgrade Rust edition 2021 → 2024, MSRV 1.75 → 1.85 - Upgrade actions/checkout@v4 → v5, codecov/codecov-action@v3 → v5 - Update all dependencies to latest compatible versions - Fix edition 2024 match ergonomics in compression.rs Clippy fixes: - Rename from_str → parse_name to avoid shadowing FromStr trait - Replace .max().min() with .clamp() - Replace sort_by with sort_by_key Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-12 03:19:07 -06:00			`\| 1.1.x \| :white_check_mark: \|`
			`\| 1.0.x \| :x: \|`
fix: accurate science claims, security docs, remove hardcoded path ## Changes ### README.md - Fix FSRS-6 formula: power law (not exponential Ebbinghaus) - Correct formula: R(t,S) = (1 + factor × t/S)^(-w₂₀) - Honest "The Science" table showing what's fully implemented vs inspired - Added ✅/⚡ indicators for implementation accuracy - Transparency note about honest marketing ### demo.sh - Remove hardcoded /Users/entity002 path (security/privacy) - Use relative path with fallback: ${VESTIGE:-$(dirname "$0")/...} ### SECURITY.md (new) - Document trust model and security boundaries - Explain data storage locations - List input validation measures - Security contact process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 20:29:37 -06:00
			`## Reporting a Vulnerability`

			`If you discover a security vulnerability in Vestige, please report it responsibly:`

			`1. DO NOT open a public GitHub issue`
			`2. Email the maintainer directly (see GitHub profile)`
			`3. Include:`
			`- Description of the vulnerability`
			`- Steps to reproduce`
			`- Potential impact`
			`- Suggested fix (if any)`

			`You can expect a response within 48 hours.`

			`## Security Model`

			`### Trust Boundaries`

			`Vestige is a local MCP server designed to run on your machine with your user permissions:`

			`- Trusted: The MCP client (Claude Code/Desktop) that connects via stdio`
			`- Untrusted: Content passed through MCP tool arguments (validated before use)`

			`### What Vestige Does NOT Do`

			`- ❌ Make network requests (except first-run model download from Hugging Face)`
			`- ❌ Execute shell commands`
			`- ❌ Access files outside its data directory`
			`- ❌ Send telemetry or analytics`
			`- ❌ Phone home to any server`

			`### Data Storage`

			`All data is stored locally in SQLite:`

			`\| Platform \| Location \|`
			`\|----------\|----------\|`
			\| macOS \| `~/Library/Application Support/com.vestige.core/vestige.db` \|
			\| Linux \| `~/.local/share/vestige/core/vestige.db` \|
			\| Windows \| `%APPDATA%\vestige\core\vestige.db` \|

release: v1.1.3 — security hardening, edition 2024, dependency updates Security: - Fix RUSTSEC-2026-0007 (bytes integer overflow) - Restrict SQLite database file permissions to 0600 on Unix - Add 100KB size limit to intention descriptions (DoS prevention) - Redact JSON-RPC payloads from debug logs (data leakage prevention) - Update SECURITY.md with encryption docs and supported versions Modernization: - Upgrade Rust edition 2021 → 2024, MSRV 1.75 → 1.85 - Upgrade actions/checkout@v4 → v5, codecov/codecov-action@v3 → v5 - Update all dependencies to latest compatible versions - Fix edition 2024 match ergonomics in compression.rs Clippy fixes: - Rename from_str → parse_name to avoid shadowing FromStr trait - Replace .max().min() with .clamp() - Replace sort_by with sort_by_key Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-12 03:19:07 -06:00			`Default: Data is stored in plaintext with owner-only file permissions (0600).`

			`### Encryption at Rest`

			`For database-level encryption, build with SQLCipher:`
			```bash
			`cargo build --no-default-features --features encryption,embeddings,vector-search`
			```
			Set `VESTIGE_ENCRYPTION_KEY` environment variable. SQLCipher encrypts all database files including the WAL journal. Alternatively, use OS-level encryption (FileVault, BitLocker, LUKS).
fix: accurate science claims, security docs, remove hardcoded path ## Changes ### README.md - Fix FSRS-6 formula: power law (not exponential Ebbinghaus) - Correct formula: R(t,S) = (1 + factor × t/S)^(-w₂₀) - Honest "The Science" table showing what's fully implemented vs inspired - Added ✅/⚡ indicators for implementation accuracy - Transparency note about honest marketing ### demo.sh - Remove hardcoded /Users/entity002 path (security/privacy) - Use relative path with fallback: ${VESTIGE:-$(dirname "$0")/...} ### SECURITY.md (new) - Document trust model and security boundaries - Explain data storage locations - List input validation measures - Security contact process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 20:29:37 -06:00
			`### Input Validation`

			`All MCP tool inputs are validated:`

			`- Content size limit: 1MB max`
			`- Query length limit: 1000 characters`
			`- FTS5 queries are sanitized to prevent injection`
			- All SQL uses parameterized queries (`params![]` macro)

			`### Dependencies`

			We use well-maintained dependencies and run `cargo audit` regularly. Current status:

			`- Vulnerabilities: 0`
			`- Warnings: 2 (unmaintained transitive dependencies with no known CVEs)`

			`## Security Checklist`

			`- [x] No hardcoded secrets`
			`- [x] Parameterized SQL queries`
			`- [x] Input validation on all tools`
			`- [x] No command injection vectors`
			`- [x] No unsafe Rust code`
			`- [x] Dependencies audited`