iai-mcp is pre-1.0 and experimental. Only the latest tagged release on main receives fixes. Older tags are not maintained.

Please do not open a public issue for defects that have security implications. This includes anything that could:

• Disclose stored memories to a third party.
• Allow recovery of data without the configured passphrase.
• Cause the daemon to execute arbitrary code from untrusted input.
• Bypass the local-only network posture.

Use GitHub Security Advisories on the repository:

https://github.com/CodeAbra/iai-mcp/security/advisories/new

Include:

• A description of the issue and its impact.
• Steps to reproduce, or a proof-of-concept if available.
• Affected version (iai-mcp --version).
• Your environment (macOS version, Python version).

You will receive an acknowledgement within a reasonable window. There is no formal SLA; this is a single-maintainer project. Reports are handled on a best-effort basis.

Once a fix is available, the advisory is published with credit to the reporter (unless anonymity is requested). Backports to older releases are not guaranteed.

iai-mcp runs locally and is designed around the following assumptions:

• The host machine is trusted. An attacker with local code execution as the user can read the encryption key (~/.iai-mcp/.key) and the unlocked store.
• The MCP host (Claude Code, Claude Desktop, etc.) is trusted. Captured turns include whatever content the host sends.
• No network exposure. The daemon listens on a UNIX socket only. Any change that adds a TCP listener, HTTP server, or remote sync is out of scope and should be discussed in a public issue first.

• Disclosure of stored records without the passphrase.
• Weakening of the AES-256-GCM encryption-at-rest (key derivation, nonce reuse, etc.).
• Arbitrary code execution triggered by captured content.
• Path traversal or unsafe file operations under ~/.iai-mcp/.
• Injection into the MCP wrapper that affects the host process.

• Social engineering of the user.
• Physical access to an unlocked machine.
• Defects requiring the user to manually set insecure file permissions on ~/.iai-mcp/.key.
• Denial-of-service against a single user's local daemon by their own process (the daemon is single-user by design).

• Records are encrypted at rest with AES-256-GCM via the cryptography library (pyca/cryptography).
• The key is derived from a user-provided passphrase using a standard KDF and stored at ~/.iai-mcp/.key with mode 0600.
• The OS keychain is used opportunistically via the keyring package on platforms where it is available.

Cryptographic primitives are intentionally not hand-rolled. If you spot a misuse of an existing primitive, please report via the advisory flow above.