This document outlines security procedures and policies for the Copilot Memory Store project.
Important: This project stores data locally in a JSON file. It does not transmit your memories to external servers (except optionally to DeepSeek for LLM compression, if configured).
| Version | Supported |
|---|---|
| 0.2.x | Yes |
| < 0.2 | No |
- Stores memories in a local JSON file on your machine
- Runs an MCP server that communicates via stdio (not network)
- Optionally calls DeepSeek API for LLM-assisted compression
Location: Configured via MEMORY_PATH environment variable
Default: project-memory.json (in project directory)
Format: Plain JSON (not encrypted)
| Aspect | Status | Notes |
|---|---|---|
| Data at rest | Not encrypted | JSON stored as plaintext |
| Data in transit | Local stdio | No network transmission (except optional DeepSeek) |
| Authentication | None | Local tool, no auth required |
| Access control | File system | Relies on OS file permissions |
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, report them via email:
Tim Warner Email: [email protected]
Please include:
- Description - What is the vulnerability?
- Impact - What could an attacker do?
- Steps to reproduce - How can we verify it?
- Affected versions - Which versions are impacted?
- Suggested fix (optional) - If you have ideas
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 1 week |
| Fix development | Depends on severity |
| Public disclosure | After fix is released |
- Acknowledgment - We'll confirm receipt of your report
- Communication - We'll keep you updated on progress
- Credit - You'll be credited in the fix (unless you prefer anonymity)
- No legal action - We won't pursue legal action for good-faith security research
# Recommended: Store memories outside of git-tracked directories
MEMORY_PATH=/Users/you/.copilot-memory/memories.json
# Or add to .gitignore
echo "*.memory.json" >> .gitignore
echo "project-memory.json" >> .gitignoreDO NOT store in memories:
- Passwords or API keys
- Personal identification numbers
- Financial information
- Private keys or tokens
- Confidential business data
Safe to store:
- Coding preferences
- Architectural decisions
- Project conventions
- Learning notes
If using LLM compression:
# Keep your API key secure
# Never commit .env files
echo ".env" >> .gitignore
echo ".env.local" >> .gitignoreWhen contributing:
- Sanitize inputs - Validate all tool inputs
- No eval() - Never execute arbitrary code
- Escape outputs - Prevent injection in formatted output
- Minimal dependencies - Fewer deps = smaller attack surface
# Check for vulnerabilities
npm audit
# Update dependencies regularly
npm updateThis project is NOT designed for:
- Storing sensitive/confidential data
- Multi-user environments
- Production security-critical applications
- Compliance requirements (HIPAA, PCI, etc.)
This project is primarily for teaching and learning:
- Context engineering concepts
- MCP protocol development
- VS Code extension development
- LLM tool integration
Security features are intentionally minimal to keep the codebase accessible for learning.
- Review what data you plan to store
- Configure
MEMORY_PATHto a secure location - Add memory files to
.gitignore - Keep API keys in
.env(not committed) - Understand this is a local-only tool
- Review code for security implications
- Don't introduce network calls without discussion
- Validate all user inputs
- Document any security-relevant changes
For security questions that aren't vulnerabilities:
- Open a GitHub Discussion
- Email [email protected]
- Visit techtrainertim.com
This security policy was last updated: December 2024