This document outlines the security policy for SuperLocalMemory V2, including supported versions, vulnerability reporting procedures, and our privacy-first approach.

• Supported Versions
• Reporting Vulnerabilities
• Security Architecture
• Data Privacy
• Threat Model
• Best Practices
• Security Updates

• Active support: Latest 2.x release receives all security updates
• Legacy support: Previous major version (1.x) receives critical security fixes only
• End of life: Versions older than 1.x are no longer supported

Recommendation: Always use the latest 2.x release for best security.

We take security seriously. If you discover a security vulnerability, please report it responsibly.

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, follow these steps:

Use GitHub Security Advisories or email security details to the project maintainers.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if available)
• Your contact information

We will acknowledge your report within 48 hours.

Our team will:

• Verify the vulnerability
• Assess severity and impact
• Develop a fix
• Test the fix thoroughly

Typical timeline: 5-10 business days

Once fixed:

• Security advisory published
• Fix released in new version
• Reporter credited (unless anonymity requested)

We use the following severity classification:

Critical:

• Remote code execution
• Privilege escalation
• Data exfiltration

High:

• Authentication bypass
• SQL injection
• Local privilege escalation

Medium:

• Information disclosure
• Denial of service
• Path traversal

Low:

• Minor information leaks
• Configuration issues

SuperLocalMemory V2 is designed with security and privacy as foundational principles.

Guarantee: The system makes zero external API calls or network requests.

Implementation:

• No telemetry
• No auto-updates
• No analytics
• No crash reporting to external services

All data stored locally:

• Database: ~/.claude-memory/memory.db
• Backups: ~/.claude-memory/backups/
• Profiles: ~/.claude-memory/profiles/
• Vectors: ~/.claude-memory/vectors/

No cloud synchronization by default.

Security relies on operating system:

• Unix/Linux: Standard file permissions (chmod 600)
• macOS: FileVault encryption (user responsibility)
• Windows: NTFS permissions

Recommendation:

# Secure database file
chmod 600 ~/.claude-memory/memory.db

# Secure entire directory
chmod 700 ~/.claude-memory/

Design decision: Authentication is handled by the OS.

Rationale:

• Single-user system (runs on local machine)
• OS-level user authentication sufficient
• No network exposure = no remote authentication needed

Multi-user environments:

• Use separate OS user accounts
• Each user gets isolated ~/.claude-memory/

User-provided data:

• Memory content (text you add)
• Tags and metadata
• Configuration settings

System-generated data:

• Timestamps
• Memory IDs
• Graph cluster information
• Learned patterns

NOT stored:

• Personally identifiable information (unless you add it)
• System information
• Usage analytics
• Telemetry

User Input → Local Storage → Processing → Local Output
     ↓
No external transmission at any stage

User control:

• Keep data forever (default)
• Delete selectively (per-memory deletion)
• Reset database (soft/hard reset options)
• Archive to cold storage (compression system)

Automatic deletion: None. All deletion is user-initiated.

For EU users:

• Right to access: Full access to all data (it is on your machine)
• Right to deletion: Use memory-reset commands
• Right to portability: Export database file
• Right to rectification: Edit memories directly

No data controller: You control your data completely.

Protection:

• SQLite ACID transactions
• Automatic backups before destructive operations
• Schema validation

Mitigations:

• Crash during write → Database rollback
• Corrupted data → Restore from backup
• Accidental deletion → Soft delete with recovery

Limited protection:

• Filesystem permissions (user responsibility)
• No application-level encryption (by design)

Recommendation: Use full-disk encryption (FileVault, LUKS, BitLocker).

Protection:

• Parameterized SQL queries (no string concatenation)
• Input validation
• No eval or exec on user input

Not protected:

• Attacker with physical access to machine
• Attacker with root/admin privileges
• Forensic data recovery from disk

Mitigation: Use full-disk encryption.

Not protected:

• Keyloggers
• Screen capture malware
• Filesystem-level malware

Mitigation: Standard OS security practices (antivirus, firewall).

Limited protection:

• Python standard library only (reduces dependency risk)
• Open source (code can be audited)
• No auto-updates (user initiates updates)

Risk: Compromised Python interpreter or OS.

macOS:

System Preferences → Security & Privacy → FileVault

Linux:

Use LUKS encryption during installation

Windows:

Control Panel → System and Security → BitLocker

# Lock down .claude-memory directory
chmod 700 ~/.claude-memory/

# Lock down database
chmod 600 ~/.claude-memory/memory.db

# Lock down backups
chmod 700 ~/.claude-memory/backups/

# Manual backup with timestamp
cp ~/.claude-memory/memory.db ~/Backups/memory-backup.db

DO NOT store:

• API keys
• Passwords
• Private keys
• Tokens
• Personal identification numbers

If you must:

• Use a dedicated password manager instead
• Or encrypt sensitive memories manually

Every PR must:

• Be reviewed by at least one maintainer
• Pass automated security checks
• Not introduce external dependencies without justification

Validate all user input before processing.

Always use parameterized SQL queries to prevent injection attacks.

• Never hardcode API keys
• Never commit credentials
• Use .gitignore for sensitive files

How you will be notified:

1. GitHub Security Advisories
2. Release notes (CHANGELOG.md)
3. Project discussions

What to do:

1. Read the security advisory
2. Assess impact on your system
3. Update to latest version
4. Verify fix is applied

# Backup current version
cp -r ~/.claude-memory ~/.claude-memory.backup

# Pull latest code
cd ~/path/to/SuperLocalMemoryV2-repo
git pull origin main

# Reinstall
./install.sh

# Verify version
memory-status

For users:

• Full-disk encryption enabled
• .claude-memory/ directory has restrictive permissions
• Regular backups configured
• No secrets stored in memories
• Using latest version

For developers:

• Code reviewed before merge
• No external dependencies without justification
• Input validation on user data
• Parameterized SQL queries
• No secrets in code or config

For security issues, please use GitHub Security Advisories or contact project maintainers directly.

Response Time:

• Acknowledgment: less than 48 hours
• Initial assessment: less than 5 business days
• Patch release: Varies by severity (critical: less than 7 days)

We appreciate responsible disclosure of security vulnerabilities.

Safe harbor:

• Good faith security research is welcomed
• We will not pursue legal action for responsible disclosure
• We request you do not publicly disclose until patch is available

SuperLocalMemory V2 is provided "as is" without warranty. See LICENSE for full terms.

User responsibility:

• Securing your system
• Enabling encryption
• Following best practices
• Keeping software updated

Security is a shared responsibility.

We build secure software. You secure your environment. Together we protect your data.