Security & Privacy

Memoria is designed with privacy-first principles. Your code never leaves your machine.

Local-Only Architecture

Memoria runs 100% locally on your machine. It makes no network requests and requires no API keys, accounts, or cloud services.

• No code is uploaded to any server
• No telemetry or analytics are collected
• No external dependencies at runtime
• Works completely offline

Data Access

Memoria accesses the following data on your local machine:

Git Repository Data

• Commit history — Messages, authors, timestamps, and file lists
• File diffs — Changes between commits for evidence display
• Branch information — Current branch context

This data is read directly from your local .git directory using standard git commands. Memoria never modifies your git history.

Source Files

• File contents — Read to detect imports and relationships
• File metadata — Modification times for drift detection

File contents are only read, never modified. Memoria operates in read-only mode.

Configuration Files

• .memoria.json — Your project-specific configuration
• .gitignore — Patterns to exclude from analysis

Data Storage

Memoria stores minimal data locally for performance optimization:

Cache Location

Analysis results are cached in memory with a 5-minute TTL (time-to-live). The cache is cleared when:

• The MCP server is restarted
• The TTL expires (5 minutes)
• The cache reaches its size limit (100 items)

You can customize the cache directory using the MEMORIA_CACHE_DIR environment variable.

No Persistent Storage

By default, Memoria does not write any persistent files. All analysis data exists only in memory during your session. When you restart your AI tool, the cache is cleared.

Permission Model

Memoria runs with the same permissions as your AI tool (Claude Desktop, Cursor, etc.):

Memoria cannot:

• Access files outside the project directory
• Modify any files or git history
• Make network requests
• Execute arbitrary code
• Access other applications or system settings

Trust Model

When using Memoria with an AI assistant, consider this trust chain:

1. You trust your AI tool (Claude Desktop, Cursor, etc.) to run MCP servers safely
2. The AI tool trusts Memoria to provide accurate file analysis
3. Memoria trusts your git history to contain accurate information about code changes

Memoria provides information to help the AI make better decisions, but the AI (and ultimately you) decide what actions to take.

Security Best Practices

For Users

• Review changes — Always review AI-suggested changes before accepting them, regardless of Memoria's analysis
• Use version control — Commit frequently so you can revert if needed
• Check sensitive files — Add sensitive files to your .gitignore and .memoria.json ignore patterns

For Organizations

• Audit the source — Review the Memoria codebase before deploying in sensitive environments
• Pin versions — Use specific versions instead of npx -y @byronwade/memoria to avoid unexpected updates
• Use global install — Install globally for better control over which version runs

# Pin to specific version
npm install -g @byronwade/memoria@1.0.0

# Verify installed version
memoria --version

Sensitive Data Handling

Memoria automatically ignores common sensitive files and directories:

• .env files (environment variables)
• credentials.json, secrets.yaml
• *.pem, *.key (certificates and keys)
• Files in .gitignore

You can add additional ignore patterns in .memoria.json:

{
  "ignore": [
    "**/*.secret",
    "config/production/**",
    "internal/**"
  ]
}

Reporting Security Issues

If you discover a security vulnerability in Memoria:

1. Do not open a public GitHub issue
2. Email details to the maintainer directly (see GitHub profile)
3. Include steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure

We take security seriously and will respond promptly to any reported issues.