Skip to content

Security: mmaisel/wetware

Security

SECURITY.md

Security Policy

Supported Versions

We actively support security updates for the following versions:

Version Supported
0.1.x

Reporting a Vulnerability

We take the security of Wetware seriously. If you discover a security vulnerability, please follow these steps:

How to Report

  1. DO NOT open a public GitHub issue for security vulnerabilities
  2. Email security reports to: [maintainer-email] (replace with actual email)
  3. Include as much detail as possible:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if you have one)

What to Expect

  • Acknowledgment: We'll acknowledge receipt within 48 hours
  • Initial Assessment: We'll provide an initial assessment within 5 business days
  • Updates: We'll keep you informed of progress toward a fix
  • Resolution: We aim to resolve critical vulnerabilities within 30 days

Disclosure Policy

  • We follow coordinated disclosure principles
  • We'll work with you to understand the issue and develop a fix
  • We'll credit you for the discovery (unless you prefer to remain anonymous)
  • We'll publish a security advisory after the fix is released

Security Considerations

API Keys and Credentials

Wetware requires several API keys for operation:

  • Google API key for AI services
  • Readwise API token for content access

Important Security Practices:

  • Never commit API keys to version control
  • Use environment variables (.env file) for all credentials
  • Regularly rotate API keys
  • Use least-privilege access for API tokens

Data Storage

Wetware stores data locally:

  • Vector embeddings in ChromaDB
  • Paper metadata in SQLite databases
  • Obsidian vault access (read/write)

Security Measures:

  • All data remains on your local machine
  • No data is transmitted to external services except via configured APIs
  • Database files are excluded from version control

Network Security

Wetware makes network requests to:

  • Google Gemini API
  • Readwise API
  • ArXiv API (via MCP server)

Recommendations:

  • Monitor network traffic in sensitive environments
  • Use firewall rules to restrict outbound connections if needed
  • Validate SSL/TLS certificates for API endpoints

File System Access

Wetware requires:

  • Read access to Obsidian vault
  • Write access for Anki deck generation
  • Database file creation/modification

Best Practices:

  • Run with minimal required file system permissions
  • Regularly backup your Obsidian vault
  • Monitor file system changes in production environments

Known Security Considerations

Agent System

Wetware uses Google ADK for agent orchestration. Be aware that:

  • Agent prompts may contain research content from your notes
  • Prompts are sent to Google's Gemini API
  • Consider data sensitivity when configuring research topics

MCP Server

The MCP server exposes research tools to AI assistants:

  • Ensure MCP server is only accessible to intended clients
  • Monitor MCP tool usage in logs
  • Validate all input parameters to MCP tools

Obsidian Integration

  • Wetware reads from your Obsidian vault
  • Ensure vault permissions are properly configured
  • Consider using a dedicated research vault for sensitive work

Secure Configuration

Minimal .env Example

# Use dedicated API keys with minimal required permissions
GOOGLE_API_KEY=your_restricted_api_key
READWISE_API_TOKEN=your_readonly_token

# Use absolute paths and proper permissions
VAULT_PATH=/secure/path/to/vault
DB_PATH=/secure/path/to/wetware.db

# Avoid overly broad research steering
STEERING="Focus on public research topics"

# Exclude sensitive note patterns
NOTE_EXCLUSION_PATTERNS="Private/,Confidential/,Personal/"

Database Security

  • Ensure database files have appropriate file permissions (600)
  • Consider encrypting database files in sensitive environments
  • Regularly backup database files

Security Updates

We will:

  • Promptly address reported security vulnerabilities
  • Release security patches for supported versions
  • Publish security advisories for confirmed vulnerabilities
  • Update dependencies to address known security issues

Dependencies

Wetware relies on several third-party packages. We:

  • Regularly update dependencies to latest secure versions
  • Monitor security advisories for all dependencies
  • Use tools like pip audit to scan for known vulnerabilities

To check for security issues in your installation:

uv run pip-audit

Contact

For security-related questions or concerns:

  • Security issues: [security-email] (replace with actual email)
  • General questions: Open a GitHub issue or discussion

Thank you for helping keep Wetware secure!

There aren’t any published security advisories