If you discover a security vulnerability in Mnemon, please report it responsibly:
- Do NOT open a public GitHub issue.
- Use GitHub Security Advisories to report privately.
- Include steps to reproduce, affected versions, and potential impact.
We will acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.
Mnemon runs locally and stores data in ~/.mnemon/. Key security considerations:
- SQLite database — contains all stored insights; protected by filesystem permissions (
0644). - Hook scripts — shell scripts executed by the LLM CLI at lifecycle events; written with
0755permissions. - Ollama connection — optional HTTP calls to a local Ollama instance; no TLS by default. If
MNEMON_EMBED_ENDPOINTis pointed at a remote server, traffic is unencrypted unless the endpoint uses HTTPS.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Older releases | Best effort |