• ✅ Local-first - All data stored on your machine
• ✅ No cloud sync - Nothing leaves your computer (except API calls)
• ✅ SQLite database - Standard, auditable storage
• ✅ File-based vectors - JSON format, human-readable

• ✅ AES-256-GCM - Industry standard authenticated encryption
• ✅ PBKDF2 - Key derivation with 100,000 iterations
• ✅ Random IV/Salt - Different for each encrypted memory
• ✅ Secure key storage - File permissions 0o600 (owner only)

• ✅ Optional authentication - API key via header or query parameter
• ✅ Input validation - All inputs validated before processing
• ✅ No SQL injection - Parameterized queries
• ✅ CORS enabled - Can restrict origins if needed

• ✅ TypeScript strict mode - Type safety
• ✅ 83 tests - Comprehensive test coverage
• ✅ CI/CD - Automated testing on every commit
• ✅ No external dependencies for core encryption

No authentication required. The API is only accessible on localhost:3000.

Safe when:

• Running on local machine only
• Not exposing port 3000 to network
• Only you have access to the machine

Enable API authentication:

# Generate a secure API key
openssl rand -hex 32

# Add to .env
API_KEY=your-generated-key-here

# Restart API server
yarn api

Use in requests:

# Via header (recommended)
curl -H "X-API-Key: your-key" http://localhost:3000/api/memories

# Via query parameter
curl "http://localhost:3000/api/memories?api_key=your-key"

⚠️ Important:

• Never commit API keys to git
• Rotate keys periodically
• Use HTTPS in production (reverse proxy with nginx/Caddy)
• Consider IP whitelisting

Definitely encrypt:

• 🔒 Passwords and credentials
• 🔒 API keys and tokens
• 🔒 Social Security Numbers
• 🔒 Financial information
• 🔒 Medical records
• 🔒 Private conversations

Probably don't encrypt:

• 📖 General preferences ("I like dark mode")
• 📖 Public facts ("I work in Seattle")
• 📖 Non-sensitive experiences

Trade-off: Encrypted memories cannot be searched semantically.

Do:

• ✅ Backup encryption key in password manager
• ✅ Use strong passphrases (>20 characters)
• ✅ Store key file securely
• ✅ Never share encryption keys

Don't:

• ❌ Commit .key file to git
• ❌ Share encryption key via email/chat
• ❌ Store key in plaintext notes
• ❌ Reuse keys across systems

If you discover a security vulnerability:

1. DO NOT open a public GitHub issue
2. Email: ella@lesperance.dev (replace with your email)
3. Include:
   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We'll respond within 48 hours and work on a fix.

• Install on personal machine only
• Use localhost API (no network exposure)
• Enable encryption for sensitive data
• Regular backups (yarn cli export)
• Optional: Set API_KEY if paranoid

• Set strong API_KEY
• Use HTTPS (nginx/Caddy reverse proxy)
• Enable CORS restrictions
• Set up rate limiting
• Regular security audits
• Use separate database per user
• Consider adding user authentication

1. No user authentication - Single user system
2. Local storage - Not designed for multi-device sync
3. API keys in env - Not a secrets manager
4. In-memory cache - Cleared on restart

1. Use for personal/single-user only
2. Enable encryption for sensitive data
3. Set API_KEY if exposing to network
4. Regular backups
5. Keep software updated

# .env file (gitignored)
ENCRYPTION_KEY=...
API_KEY=...
ANTHROPIC_API_KEY=...

# Command line (visible in process list)
ENCRYPTION_KEY=abc123 yarn api

# Hardcoded (never do this)
const key = "my-secret-key";

The system makes API calls to:

1. Anthropic (Claude) - For conversation analysis

   • Data sent: Conversation text
   • Retention: Per Anthropic privacy policy
   • Optional: Can disable by not using extract features

2. OpenAI (Whisper) - For voice transcription

   • Data sent: Audio recordings
   • Retention: Per OpenAI privacy policy
   • Optional: Can disable by not using voice features

Privacy: If privacy is critical, don't use voice or conversation extraction features.

# Run on localhost only
PORT=3000 yarn api
# Accessible: http://localhost:3000

# 1. Set API key
API_KEY=$(openssl rand -hex 32)

# 2. Set up reverse proxy (nginx)
server {
  listen 443 ssl;
  server_name brain.yourdomain.com;
  
  ssl_certificate /path/to/cert.pem;
  ssl_certificate_key /path/to/key.pem;
  
  location / {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Real-IP $remote_addr;
  }
}

# 3. Enable firewall
sudo ufw allow 443/tcp
sudo ufw enable

Currently no audit logging. Future enhancement could add:

• Log all memory operations (add, update, delete)
• Log failed authentication attempts
• Log API access with timestamps
• Rotate logs automatically
• Alert on suspicious activity

This software is provided as-is for personal use. For compliance requirements (GDPR, HIPAA, etc.):

• ✅ Data stays local (GDPR right to data)
• ✅ User controls all data (GDPR right to deletion)
• ✅ Encryption available (data protection)
• ❌ No audit trail (not HIPAA compliant out-of-box)
• ❌ No multi-tenancy (not designed for organizations)

MIT License - See LICENSE file.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.

Last Updated: October 8, 2025
Contact: Create an issue on GitHub for security questions.