Skip to content

Security: DougTrier/MoreAI

Security

SECURITY.md

Security Policy — More AI by Trier OS

Copyright © 2026 Doug Trier / Trier OS. All Rights Reserved.


Reporting a Vulnerability

DO NOT open a public Issue for a security vulnerability.

More AI handles API keys for commercial AI services and potentially sensitive content in the form of prompts, code, and session history. A disclosed vulnerability could expose keys, session data, or bridge agent endpoints on remote machines.

To report a vulnerability:

  1. Open a GitHub Security Advisory — Security tab → Advisories → Report a vulnerability
  2. Include: steps to reproduce, affected file path, and a suggested mitigation
  3. Response SLA: acknowledgement within 48 hours, patch or workaround within 14 days

The security architecture constraints are formally documented in governance/MoreAI Governance.md as invariants AI-1, AI-6, and SEC-1 through SEC-25.


Security Architecture

More AI is a local-first desktop application. Its security model is fundamentally different from a web application:

  • There is no server to compromise — the app runs entirely on the user's machine
  • There is no multi-tenant boundary — each install is single-user
  • The primary threat surfaces are: API key storage, outbound network requests to AI providers, and the bridge agent when deployed to remote machines

Threat Model

Trust Level What
Trusted Local user OS, OS credential vault (Keychain / Secret Service)
Semi-trusted LAN bridge nodes (HTTPS + fingerprint pinning + Bearer token)
Untrusted External AI APIs, all remote network traffic, raw model outputs

API Key Security

Storage

API keys are encrypted with AES-256-GCM and stored in an isolated SQLite database (keys.db), separate from all other app data.

Platform Storage
Windows AES-256-GCM encrypted SQLite (sole mechanism — Credential Manager not used)
macOS Keychain Services (primary) → AES-256-GCM SQLite fallback
Linux Secret Service / libsecret (primary) → AES-256-GCM SQLite fallback

Windows note: The Windows Credential Manager does not reliably persist credentials between process restarts in this app's process isolation model. try_store_in_vault returns false on Windows unconditionally (#[cfg(windows)] return false), routing all storage through AES-256-GCM SQLite.

Key Handling Rules

  • SEC-1: Keys must never be serialized into any Tauri event payload
  • SEC-2: Keys must never appear in React state, props, or context
  • SEC-3: Keys must never be logged at any log level
  • SEC-4: api_key_ref in the models table is a reference ID only — never the key itself
  • SEC-5: The decrypted key exists in memory only for the duration of the HTTP request; dropped immediately after; never stored in an Arc, Mutex, or long-lived state
  • SEC-18: Encrypted at rest on all platforms (see table above)
  • SEC-19: Sensitive data is zeroized in memory after use (zeroize crate) to prevent memory scraping and crash dump leakage

Network Security

All outbound network requests are made from the Rust backend only — the React frontend has no direct network access.

Certificate Validation

Endpoint Protocol Validation
OpenAI / Anthropic / Google / etc. HTTPS System CA bundle — enforced, no bypass
Ollama / BitNet / llama.cpp HTTP Localhost (127.0.0.1) only — no cert required
Bridge Agent HTTPS Self-signed cert with pinned fingerprint

SEC-6: danger_accept_invalid_certs and equivalent flags must never be used in production. Localhost is the only exception.

Bridge Agent Transport

Property Implementation
Protocol HTTPS only — no plain HTTP on non-localhost
Certificate Self-signed, generated on first run, fingerprint pinned in registry on both sides
Authentication Bearer token required on every request
Data at rest None — bridge is a pure relay
NAT traversal Intentionally unsupported — STUN/TURN and public relays are prohibited
  • SEC-7: Bridge agent rejects any request without a valid API key with HTTP 401
  • SEC-8: Bridge logs timestamp, source IP, model, token count — never prompt or response content
  • SEC-21: Per-IP rate limiting, token usage caps, and request size limits enforced

Prompt and Session Data

Data Location Encryption
Sessions (prompts + responses) SQLite in app data directory OS full-disk encryption (user responsibility)
Attachments / file context In-memory only during session Never persisted to disk
  • SEC-9: Prompt content and AI responses are stored in plaintext SQLite. Users who require encryption at rest should enable OS-level full-disk encryption (BitLocker on Windows, FileVault on macOS).
  • SEC-10: IDE context injection sends file content to cloud AI providers. Users are responsible for not sending sensitive content to cloud providers. Local-only mode (Ollama, bridge) avoids this entirely.

Tauri Security Configuration

Content Security Policy

The production CSP is:

default-src 'self';
script-src 'self' blob: 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
connect-src 'self';

unsafe-eval is required — Monaco Editor (the VS Code engine used in the IDE) requires eval() for its worker scripts. This is a known, accepted tradeoff. Do not remove it without first replacing Monaco with an eval-free alternative.

blob: is required — the IDE module system loads agent-written panels via Blob URLs. Do not remove it without redesigning the module loader.

Rules

  • SEC-11: No other unsafe-* CSP directives are permitted
  • SEC-12: Tauri isolation mode remains enabled — it prevents the WebView from accessing Tauri internals directly and forces all backend calls through the command API
  • SEC-13: Capabilities are minimal — grant only permissions the app actually uses; no wildcard grants

Input Validation

  • SEC-16: All user input flowing into SQL queries uses SQLx parameterized bind parameters — never string interpolation
  • SEC-17: Model endpoint URLs are validated before use: must be parseable, HTTPS for non-localhost, not private/internal IP ranges unless explicitly user-approved for bridge

Supply Chain

  • SEC-23: Dependencies are audited with cargo audit (Rust) and npm audit (Node) before release
  • SEC-24: Release builds are signed where supported; future versions will include checksum verification for distributed binaries

Audit Logging

  • SEC-25: Audit logs contain metadata only — no sensitive data. Retention is user-controlled and configurable in Settings → Governance → Retention Policy.

Production Build Checklist

Item Check
Debug logging disabled No sensitive data in release log output
DevTools disabled tauri.conf.json devtools: false in production; re-enabled only in debug builds via #[cfg(debug_assertions)]
CSP enforced Active and tested
API keys tested Encrypted storage round-trip verified
Certificate validation Confirmed active on all HTTPS endpoints
.env not bundled Verified excluded from build artifacts

Supported Versions

Version Security support
1.0.8 (latest) ✅ Active
1.0.7 ✅ Patches backported
1.0.6 and earlier ❌ Upgrade recommended

More AI by Trier OS — Security Policy Maintained by Doug Trier

There aren't any published security advisories