-
Notifications
You must be signed in to change notification settings - Fork 0
Security Hardening
Ragmir reduces document exposure by keeping its index and normal retrieval local. It is not a security certification and does not replace encrypted storage, operating-system isolation, or review of the consumer that receives retrieved passages.
-
.ragmir/is local generated state and should remain ignored by Git. -
local-hashretrieval needs no model or network service. - Built-in redaction runs before indexing.
- Secret-like filenames are skipped and unsupported files are reported.
- Access logs store metadata and salted query identifiers, not raw prompts or retrieved text.
- MCP tools advertise non-destructive behavior, and every tool or resource JSON response is byte-bounded. Search, ask, research, and evaluation conservatively advertise open-world behavior because explicitly enabled semantic models may download public weights. Tools that can append metadata-only logs or initialize local state use conservative read-only and idempotency hints.
- Strict MCP diagnostics mask configured model, storage, source, and access-log paths. Evaluation returns a project-relative golden path and replaces operational errors with a generic message.
- Remote model loading is disabled on the normal confidential path. Downloads require an explicit model preload or remote Transformers opt-in.
rgr doctor
rgr audit --unsupported
rgr security-audit
rgr security-audit --strictRun the strict audit before using a sensitive corpus. Keep the repository and .ragmir/ on encrypted storage when at-rest protection matters, and use one checkout per trust boundary.
Treat Git hosting or a team file-sync service as a separate trust boundary. rgr team sync fetches
only the configured current-branch upstream, uses fast-forward only, and never uploads the corpus
or .ragmir/ state. A Drive client or another synchronization tool follows its own access and
retention policy. Synchronize source files, never an actively written .ragmir/storage/ directory.
| Capability | Boundary |
|---|---|
| Core retrieval | Local by default |
| Hosted consumer | Returned passages follow that provider's data policy |
| Semantic embeddings | Explicit model download, then local inference |
| OCR | Local command only |
| Ragmir Chat | Explicit verified model download, then local inference |
| Ragmir TTS | Local WAV by default; Edge MP3 sends narration text when selected |
Ragmir cannot protect a compromised machine, an untrusted local user, malicious installed dependencies, or passages deliberately sent to a cloud consumer.
Canonical source: SECURITY-HARDENING.md. Report vulnerabilities through the security policy, not a public issue.