Copyright © 2026 Doug Trier / Trier OS. All Rights Reserved.
DO NOT open a public Issue for a security vulnerability.
More AI handles API keys for commercial AI services and potentially sensitive content in the form of prompts, code, and session history. A disclosed vulnerability could expose keys, session data, or bridge agent endpoints on remote machines.
To report a vulnerability:
- Open a GitHub Security Advisory — Security tab → Advisories → Report a vulnerability
- Include: steps to reproduce, affected file path, and a suggested mitigation
- Response SLA: acknowledgement within 48 hours, patch or workaround within 14 days
The security architecture constraints are formally documented in governance/MoreAI Governance.md as invariants AI-1, AI-6, and SEC-1 through SEC-25.
More AI is a local-first desktop application. Its security model is fundamentally different from a web application:
- There is no server to compromise — the app runs entirely on the user's machine
- There is no multi-tenant boundary — each install is single-user
- The primary threat surfaces are: API key storage, outbound network requests to AI providers, and the bridge agent when deployed to remote machines
| Trust Level | What |
|---|---|
| Trusted | Local user OS, OS credential vault (Keychain / Secret Service) |
| Semi-trusted | LAN bridge nodes (HTTPS + fingerprint pinning + Bearer token) |
| Untrusted | External AI APIs, all remote network traffic, raw model outputs |
API keys are encrypted with AES-256-GCM and stored in an isolated SQLite database (keys.db), separate from all other app data.
| Platform | Storage |
|---|---|
| Windows | AES-256-GCM encrypted SQLite (sole mechanism — Credential Manager not used) |
| macOS | Keychain Services (primary) → AES-256-GCM SQLite fallback |
| Linux | Secret Service / libsecret (primary) → AES-256-GCM SQLite fallback |
Windows note: The Windows Credential Manager does not reliably persist credentials between process restarts in this app's process isolation model.
try_store_in_vaultreturnsfalseon Windows unconditionally (#[cfg(windows)] return false), routing all storage through AES-256-GCM SQLite.
- SEC-1: Keys must never be serialized into any Tauri event payload
- SEC-2: Keys must never appear in React state, props, or context
- SEC-3: Keys must never be logged at any log level
- SEC-4:
api_key_refin the models table is a reference ID only — never the key itself - SEC-5: The decrypted key exists in memory only for the duration of the HTTP request; dropped immediately after; never stored in an
Arc,Mutex, or long-lived state - SEC-18: Encrypted at rest on all platforms (see table above)
- SEC-19: Sensitive data is zeroized in memory after use (
zeroizecrate) to prevent memory scraping and crash dump leakage
All outbound network requests are made from the Rust backend only — the React frontend has no direct network access.
| Endpoint | Protocol | Validation |
|---|---|---|
| OpenAI / Anthropic / Google / etc. | HTTPS | System CA bundle — enforced, no bypass |
| Ollama / BitNet / llama.cpp | HTTP | Localhost (127.0.0.1) only — no cert required |
| Bridge Agent | HTTPS | Self-signed cert with pinned fingerprint |
SEC-6: danger_accept_invalid_certs and equivalent flags must never be used in production. Localhost is the only exception.
| Property | Implementation |
|---|---|
| Protocol | HTTPS only — no plain HTTP on non-localhost |
| Certificate | Self-signed, generated on first run, fingerprint pinned in registry on both sides |
| Authentication | Bearer token required on every request |
| Data at rest | None — bridge is a pure relay |
| NAT traversal | Intentionally unsupported — STUN/TURN and public relays are prohibited |
- SEC-7: Bridge agent rejects any request without a valid API key with HTTP 401
- SEC-8: Bridge logs timestamp, source IP, model, token count — never prompt or response content
- SEC-21: Per-IP rate limiting, token usage caps, and request size limits enforced
| Data | Location | Encryption |
|---|---|---|
| Sessions (prompts + responses) | SQLite in app data directory | OS full-disk encryption (user responsibility) |
| Attachments / file context | In-memory only during session | Never persisted to disk |
- SEC-9: Prompt content and AI responses are stored in plaintext SQLite. Users who require encryption at rest should enable OS-level full-disk encryption (BitLocker on Windows, FileVault on macOS).
- SEC-10: IDE context injection sends file content to cloud AI providers. Users are responsible for not sending sensitive content to cloud providers. Local-only mode (Ollama, bridge) avoids this entirely.
The production CSP is:
default-src 'self';
script-src 'self' blob: 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
connect-src 'self';
unsafe-eval is required — Monaco Editor (the VS Code engine used in the IDE) requires eval() for its worker scripts. This is a known, accepted tradeoff. Do not remove it without first replacing Monaco with an eval-free alternative.
blob: is required — the IDE module system loads agent-written panels via Blob URLs. Do not remove it without redesigning the module loader.
- SEC-11: No other
unsafe-*CSP directives are permitted - SEC-12: Tauri isolation mode remains enabled — it prevents the WebView from accessing Tauri internals directly and forces all backend calls through the command API
- SEC-13: Capabilities are minimal — grant only permissions the app actually uses; no wildcard grants
- SEC-16: All user input flowing into SQL queries uses SQLx parameterized bind parameters — never string interpolation
- SEC-17: Model endpoint URLs are validated before use: must be parseable, HTTPS for non-localhost, not private/internal IP ranges unless explicitly user-approved for bridge
- SEC-23: Dependencies are audited with
cargo audit(Rust) andnpm audit(Node) before release - SEC-24: Release builds are signed where supported; future versions will include checksum verification for distributed binaries
- SEC-25: Audit logs contain metadata only — no sensitive data. Retention is user-controlled and configurable in Settings → Governance → Retention Policy.
| Item | Check |
|---|---|
| Debug logging disabled | No sensitive data in release log output |
| DevTools disabled | tauri.conf.json devtools: false in production; re-enabled only in debug builds via #[cfg(debug_assertions)] |
| CSP enforced | Active and tested |
| API keys tested | Encrypted storage round-trip verified |
| Certificate validation | Confirmed active on all HTTPS endpoints |
.env not bundled |
Verified excluded from build artifacts |
| Version | Security support |
|---|---|
| 1.0.8 (latest) | ✅ Active |
| 1.0.7 | ✅ Patches backported |
| 1.0.6 and earlier | ❌ Upgrade recommended |
More AI by Trier OS — Security Policy Maintained by Doug Trier