Skip to content

Security Hardening

Jean-Baptiste THERY edited this page Jul 18, 2026 · 3 revisions

Security hardening

Ragmir reduces document exposure by keeping its index and normal retrieval local. It is not a security certification and does not replace encrypted storage, operating-system isolation, or review of the consumer that receives retrieved passages.

Secure defaults

  • .ragmir/ is local generated state and should remain ignored by Git.
  • local-hash retrieval needs no model or network service.
  • Built-in redaction runs before indexing.
  • Secret-like filenames are skipped and unsupported files are reported.
  • Access logs store metadata and salted query identifiers, not raw prompts or retrieved text.
  • MCP tools advertise non-destructive behavior, and every tool or resource JSON response is byte-bounded. Search, ask, research, and evaluation conservatively advertise open-world behavior because explicitly enabled semantic models may download public weights. Tools that can append metadata-only logs or initialize local state use conservative read-only and idempotency hints.
  • Strict MCP diagnostics mask configured model, storage, source, and access-log paths. Evaluation returns a project-relative golden path and replaces operational errors with a generic message.
  • Remote model loading is disabled on the normal confidential path. Downloads require an explicit model preload or remote Transformers opt-in.

Check a workspace

rgr doctor
rgr audit --unsupported
rgr security-audit
rgr security-audit --strict

Run the strict audit before using a sensitive corpus. Keep the repository and .ragmir/ on encrypted storage when at-rest protection matters, and use one checkout per trust boundary.

Treat Git hosting or a team file-sync service as a separate trust boundary. rgr team sync fetches only the configured current-branch upstream, uses fast-forward only, and never uploads the corpus or .ragmir/ state. A Drive client or another synchronization tool follows its own access and retention policy. Synchronize source files, never an actively written .ragmir/storage/ directory.

Network boundaries

Capability Boundary
Core retrieval Local by default
Hosted consumer Returned passages follow that provider's data policy
Semantic embeddings Explicit model download, then local inference
OCR Local command only
Ragmir Chat Explicit verified model download, then local inference
Ragmir TTS Local WAV by default; Edge MP3 sends narration text when selected

Ragmir cannot protect a compromised machine, an untrusted local user, malicious installed dependencies, or passages deliberately sent to a cloud consumer.

Canonical source: SECURITY-HARDENING.md. Report vulnerabilities through the security policy, not a public issue.

Clone this wiki locally