apunkt/vestige
1
0
Fork 0
mirror of https://github.com/samvallad33/vestige.git synced 2026-04-25 00:36:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix: accurate science claims, security docs, remove hardcoded path

Browse source 
## Changes

### README.md
- Fix FSRS-6 formula: power law (not exponential Ebbinghaus)
- Correct formula: R(t,S) = (1 + factor × t/S)^(-w₂₀)
- Honest "The Science" table showing what's fully implemented vs inspired
- Added / indicators for implementation accuracy
- Transparency note about honest marketing

### demo.sh
- Remove hardcoded /Users/entity002 path (security/privacy)
- Use relative path with fallback: ${VESTIGE:-$(dirname "$0")/...}

### SECURITY.md (new)
- Document trust model and security boundaries
- Explain data storage locations
- List input validation measures
- Security contact process

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Sam Valladares 2026-01-25 20:29:37 -06:00
parent 3a4a19fa20
commit 29130c3068
3 changed files with 94 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

33
README.md
View file

@ -249,17 +249,20 @@ This prevents duplicate memories and keeps your knowledge base clean.
### FSRS-6 Spaced Repetition ### FSRS-6 Spaced Repetition
Memories decay over time following the **Ebbinghaus forgetting curve**: Memories decay over time following a **power law forgetting curve** (not exponential):
``` ```
Retention = e^(-time/stability) R(t, S) = (1 + factor × t / S)^(-w₂₀)
where factor = 0.9^(-1/w₂₀) - 1
``` ```
- Memories you access stay strong - `R` = retrievability (probability of recall)
- Memories you ignore fade naturally - `t` = time since last review
- No manual cleanup required - `S` = stability (time for R to drop to 90%)
- `w₂₀` = personalized decay parameter (0.1-0.8)
FSRS-6 uses 21 parameters optimized on millions of Anki reviews—30% more efficient than SM-2. FSRS-6 uses 21 parameters optimized on 700M+ Anki reviews—[30% more efficient than SM-2](https://github.com/open-spaced-repetition/srs-benchmark).
### Memory States ### Memory States
@ -276,17 +279,17 @@ Based on accessibility, memories exist in four states:
## The Science ## The Science
Vestige implements concepts from memory research: Vestige is **inspired by** memory research. Here's what's actually implemented:
| Feature | Inspired By | Reference | | Feature | Research Basis | Implementation |
|---------|-------------|-----------| |---------|----------------|----------------|
| Spaced repetition | FSRS-6 algorithm | [Piotr Wozniak, 2022](https://github.com/open-spaced-repetition/fsrs4anki) | | **Spaced repetition** | [FSRS-6](https://github.com/open-spaced-repetition/fsrs4anki) | ✅ Fully implemented (21-parameter power law model) |
| Storage vs Retrieval strength | Bjork's New Theory of Disuse | [Bjork & Bjork, 1992](https://psycnet.apa.org/record/1992-97586-004) | | **Context-dependent retrieval** | [Tulving & Thomson, 1973](https://psycnet.apa.org/record/1973-31800-001) | ✅ Fully implemented (temporal, topical, emotional context matching) |
| Retroactive importance | Synaptic Tagging & Capture | [Frey & Morris, 1997](https://www.nature.com/articles/385533a0) | | **Dual-strength model** | [Bjork & Bjork, 1992](https://bjorklab.psych.ucla.edu/wp-content/uploads/sites/13/2016/07/RBjork_EBjork_1992.pdf) | ⚡ Simplified (storage + retrieval strength tracked separately) |
| Context-dependent retrieval | Encoding Specificity Principle | [Tulving & Thomson, 1973](https://psycnet.apa.org/record/1973-31800-001) | | **Retroactive importance** | [Frey & Morris, 1997](https://www.nature.com/articles/385533a0) | ⚡ Inspired (temporal window capture, not actual synaptic biochemistry) |
| Forgetting curve | Ebbinghaus decay function | [Ebbinghaus, 1885](https://en.wikipedia.org/wiki/Forgetting_curve) | | **Memory states** | Multi-store memory models | ⚡ Heuristic (accessibility-based state machine) |
> **Note**: These are *simplified models inspired by* cognitive science research, designed to be practical for AI memory management. They are not literal implementations of neural biochemistry. > **Transparency**: The ✅ features closely follow published algorithms. The ⚡ features are engineering heuristics *inspired by* the research—useful approximations, not literal neuroscience. We believe in honest marketing.
--- ---

75
SECURITY.md Normal file
View file

@ -0,0 +1,75 @@
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
## Reporting a Vulnerability
If you discover a security vulnerability in Vestige, please report it responsibly:
1. **DO NOT** open a public GitHub issue
2. Email the maintainer directly (see GitHub profile)
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You can expect a response within 48 hours.
## Security Model
### Trust Boundaries
Vestige is a **local MCP server** designed to run on your machine with your user permissions:
- **Trusted**: The MCP client (Claude Code/Desktop) that connects via stdio
- **Untrusted**: Content passed through MCP tool arguments (validated before use)
### What Vestige Does NOT Do
- ❌ Make network requests (except first-run model download from Hugging Face)
- ❌ Execute shell commands
- ❌ Access files outside its data directory
- ❌ Send telemetry or analytics
- ❌ Phone home to any server
### Data Storage
All data is stored locally in SQLite:
| Platform | Location |
|----------|----------|
| macOS | `~/Library/Application Support/com.vestige.core/vestige.db` |
| Linux | `~/.local/share/vestige/core/vestige.db` |
| Windows | `%APPDATA%\vestige\core\vestige.db` |
**Note**: Data is stored in plaintext. If you need encryption at rest, use OS-level encryption (FileVault, BitLocker, LUKS).
### Input Validation
All MCP tool inputs are validated:
- Content size limit: 1MB max
- Query length limit: 1000 characters
- FTS5 queries are sanitized to prevent injection
- All SQL uses parameterized queries (`params![]` macro)
### Dependencies
We use well-maintained dependencies and run `cargo audit` regularly. Current status:
- **Vulnerabilities**: 0
- **Warnings**: 2 (unmaintained transitive dependencies with no known CVEs)
## Security Checklist
- [x] No hardcoded secrets
- [x] Parameterized SQL queries
- [x] Input validation on all tools
- [x] No command injection vectors
- [x] No unsafe Rust code
- [x] Dependencies audited

2
demo.sh
View file

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# Vestige Demo Script - Shows real-time memory operations # Vestige Demo Script - Shows real-time memory operations
VESTIGE="/Users/entity002/Developer/vestige/target/release/vestige-mcp" VESTIGE="${VESTIGE:-$(dirname "$0")/target/release/vestige-mcp}"
# Colors for pretty output # Colors for pretty output
GREEN='\033[0;32m' GREEN='\033[0;32m'