Security Architecture
This document describes the security architecture, controls, and operational procedures that govern Context Pilot's design and deployment. Context Pilot is engineered to eliminate entire categories of security risk through architectural decisions rather than compensating controls.
1. Data Flow Architecture
Context Pilot employs a strictly local-first architecture. All computation, state management, and file operations execute on the operator's workstation. No Context Pilot-operated servers, proxies, or intermediary services exist in the data path.
No intermediary proxy
LLM API requests are transmitted directly from the operator's machine to the configured provider endpoint. Context Pilot does not operate relay servers, API gateways, or request-forwarding infrastructure of any kind.
Operator-controlled network egress
All outbound network connections are initiated by the operator through explicit configuration (API key provisioning). The software makes no network calls that are not directly attributable to a user-configured service integration.
Local-only persistence
All application state — conversation history, entity databases, memory stores, configuration, and search indices — is persisted to the local filesystem under .context-pilot/ within the project directory. No state is synchronized to external services.
Offline capability
Core functionality — file management, search indexing, memory systems, entity databases, and conversation management — operates without network connectivity. Only LLM inference, web search, web scraping, and OCR require external API access, all of which are user-initiated.
2. Integrity Controls
Context Pilot implements multiple layers of integrity verification to ensure that critical configuration and security-relevant files have not been modified without authorization.
SHA-256 Hash Chain Verification
ImplementedTwelve critical files — including lint configurations, CI pipeline definitions, deployment scripts, and security exception registries — are protected by a SHA-256 hash chain. Each chain entry records the cryptographic hash of the protected file set, creating a tamper-evident audit trail. Unauthorized modifications to any protected file are detected automatically during verification.
Lint Enforcement
Implemented
The codebase enforces 980 Rust compiler and Clippy lints at the forbid level and 21 additional lints at the deny level. Lint suppressions (#[allow(...)]) are prohibited project-wide; exceptions require registration in a tracked exception file that is itself part of the hash chain. This prevents silent introduction of unsafe patterns.
Structural Enforcement
ImplementedAutomated CI and pre-commit callbacks enforce a maximum of 500 lines per source file and 8 entries per directory. These constraints promote code modularity and ensure that security-sensitive logic is isolated into reviewable units rather than embedded in large, complex files.
3. Access and Authentication Model
Context Pilot's access model reflects its local-first architecture. There are no user accounts, no authentication tokens issued by Context Pilot, and no multi-tenant isolation requirements.
Credential management
API keys are stored in a local .env file or system environment variables. Each credential is transmitted only to its designated provider endpoint. No credential is ever transmitted to Context Pilot infrastructure (which does not exist) or shared across providers.
Filesystem-scoped access
The agent operates within the boundaries of its project directory. File system access is confined to the project root and its subdirectories. Path traversal protections are enforced at the API level for all file operations exposed through the orchestration backend.
SSE ticket system
The orchestration backend's Server-Sent Events endpoint is protected by single-use, time-limited tickets (30-second TTL, cryptographically random 256-bit tokens). This prevents confused-deputy and DNS rebinding attacks against the localhost-bound HTTP server.
4. Incident Response
As an open-source, locally-deployed tool, Context Pilot's incident response model differs from cloud-hosted services. Security issues are addressed through the project's responsible disclosure program.
Responsible Disclosure Program
ActiveSecurity vulnerabilities should be reported through GitHub's Security Advisory feature. Reports are triaged promptly. Critical vulnerabilities affecting data confidentiality or integrity are prioritized for patch release within the current development cycle.
Dependency Management
AutomatedGitHub Dependabot monitors all dependencies (Rust crates and npm packages) for known vulnerabilities. CodeQL static analysis runs on every push and pull request to the main branch, detecting common vulnerability patterns including injection flaws, path traversal, and unsafe memory operations.
Release Integrity
ImplementedRelease binaries are built exclusively through the CI/CD pipeline (GitHub Actions) from the audited source tree. Build artifacts are published as GitHub Releases with provenance metadata. The release workflow is itself a protected file within the hash chain, preventing unauthorized modifications to the build process.
5. Business Continuity
Context Pilot's local-first architecture provides inherent resilience against service disruptions.
No single point of failure
Because Context Pilot has no cloud backend, there is no centralized service whose outage would affect all users. Each deployment is fully independent. LLM provider outages degrade AI inference only; all other functionality continues uninterrupted.
Data portability
All state is stored in standard formats (YAML, SQLite, plain text) on the local filesystem. No proprietary encoding, no cloud-locked storage. Data can be backed up, restored, or migrated using standard filesystem tools.
Multi-provider support
Context Pilot supports multiple LLM providers (Anthropic, OpenAI, Google, Mistral). If one provider experiences an outage, operators can switch to an alternative without data loss or workflow disruption.
6. Supply Chain Security
Context Pilot treats supply chain integrity as a first-class security concern. All third-party dependencies are audited, pinned, and continuously monitored.
Dependency Pinning & Reproducibility
Implemented
All Rust dependencies are pinned via Cargo.lock (committed to version control). All JavaScript dependencies are pinned via pnpm-lock.yaml. Both lockfiles are tracked in the repository, ensuring bit-for-bit reproducible builds across environments and time. No floating version ranges are used for production dependencies.
Vendored Cryptographic Libraries
Implemented
OpenSSL is compiled from vendored source (openssl-src crate with the vendored feature flag) rather than linked against system-installed versions. This eliminates dependency on the host system's OpenSSL installation, prevents version mismatches, and ensures a known-good cryptographic library is included in every build regardless of deployment environment.
Continuous Dependency Monitoring
AutomatedGitHub Dependabot continuously monitors both the Rust crate dependency tree and the npm package dependency tree for known vulnerabilities. Security advisories trigger automated pull requests with updated dependency versions. Critical and high-severity advisories are reviewed and addressed within the current development cycle.
License Compliance Audit
CleanAll direct and transitive dependencies use permissive open-source licenses (MIT, Apache 2.0, BSD, ISC, Zlib). No copyleft (GPL, LGPL, AGPL), proprietary, or otherwise restrictive licenses exist in the dependency tree. This is verified periodically and can be independently reproduced by any party using the committed lockfiles.
| Supply Chain Control | Mechanism | Verification |
|---|---|---|
| Dependency pinning | Cargo.lock + pnpm-lock.yaml committed |
Reproducible builds from any commit |
| Vulnerability scanning | GitHub Dependabot (Rust + npm) | Continuous, automated PR creation |
| Static analysis | CodeQL on every push/PR | GitHub Advanced Security dashboard |
| License audit | Permissive-only policy (MIT/Apache/BSD) | Lockfile inspection |
| Cryptographic library | Vendored OpenSSL (compiled from source) | Cargo.toml vendored feature flag |
| Build provenance | GitHub Actions CI/CD (pinned runners) | Build logs + artifact checksums in releases |
7. Encryption
Context Pilot's encryption posture reflects its local-first architecture. All external communications use industry-standard transport encryption. Local data storage relies on the operator's filesystem-level encryption.
Data in transit
All external API communications use TLS 1.2 or higher, enforced by the underlying HTTP client library (reqwest/rustls or vendored OpenSSL). Certificate validation is enabled by default and is not user-configurable — there is no option to disable TLS verification or accept self-signed certificates for production API endpoints.
Data at rest
Local data is stored in standard file formats (YAML, SQLite, plain text) on the operator's filesystem. Context Pilot does not implement application-level encryption for local data. Encryption at rest is deferred to the operator's OS-level disk encryption (FileVault, BitLocker, LUKS, etc.), which is the industry standard for locally-deployed tools.
Credential handling
API keys are loaded from environment variables or local .env files at startup. They are held in process memory only for the duration of the application's runtime. Credentials are never written to log files, conversation history, entity databases, or any other persistent store. Each credential is transmitted only over TLS to its designated provider endpoint.
No custom cryptography
Context Pilot does not implement custom cryptographic algorithms or protocols. All cryptographic operations (TLS, SHA-256 hash chain verification) use well-established, audited libraries. The SHA-256 hash chain uses Rust's sha2 crate, a pure-Rust implementation of the NIST-standardized algorithm.
8. Network Architecture
Context Pilot's network posture is minimal by design. The application makes no unsolicited network connections and exposes no internet-facing services.
No Inbound Internet Connections
By Design
Context Pilot does not listen on any network-accessible port by default. The orchestration backend binds exclusively to the loopback interface (127.0.0.1:7878), making it unreachable from the network. The Meilisearch sidecar similarly binds to loopback only. No port forwarding, firewall rules, or network configuration is required or recommended.
Outbound Connections: Explicit & Enumerable
Operator-ControlledEvery outbound network connection is attributable to a specific, operator-configured service integration. The complete list of possible outbound destinations is documented in the Subprocessor Register. No connection is made to any endpoint not explicitly configured by the operator. There are zero "phone home," analytics, crash reporting, or update-check connections.
Confused Deputy & DNS Rebinding Defense
Implemented
The localhost HTTP server is protected against confused-deputy attacks (malicious websites making requests to localhost:7878 via the user's browser) through a single-use, time-limited ticket system. SSE stream connections require a ticket minted by a prior authenticated REST call. Tickets are cryptographically random (256-bit, /dev/urandom), expire after 30 seconds, and are consumed on first use. This defense is necessary because CORS alone cannot prevent DNS rebinding attacks against localhost services.
Path Traversal Protection
Implemented
All file system operations exposed through the HTTP API are confined to the agent's project directory ("realm"). A confined_path() function canonicalizes and validates every path parameter, rejecting any request that would access files outside the designated directory. This prevents directory traversal attacks via ../ sequences, symlinks, or encoded path separators. Violations return HTTP 403.
| Attack Vector | Mitigation | Implementation |
|---|---|---|
| Remote network access | Loopback-only binding | 127.0.0.1 for orchestrator + Meilisearch |
| Confused deputy (CSRF/DNS rebind) | Single-use SSE tickets | 256-bit random, 30s TTL, consumed on use |
| Path traversal | Realm-confined file access | confined_path() canonicalization + 403 rejection |
| Unauthorized data exfiltration | No telemetry, no outbound except configured APIs | Verifiable via source code audit |
| Man-in-the-middle | Mandatory TLS for all external calls | reqwest + certificate validation (non-configurable) |
9. Change Management
All changes to Context Pilot's codebase follow a structured development process with multiple automated verification gates.
Version control
All source code is managed in a Git repository hosted on GitHub. The complete history of every change, including author identity, timestamps, and commit messages, is preserved and publicly auditable. The repository has accumulated over 760 commits across 22 crates and 65,000+ lines of Rust and TypeScript.
Continuous integration
Every push and pull request to the main branch triggers automated CI checks: rustfmt (formatting), clippy (lint analysis with 1001 rules), cargo build (compilation), cargo test (unit + integration tests), and CodeQL (security analysis). Builds are tested on Ubuntu and pinned to a specific Rust toolchain version (1.93.0) for reproducibility.
Cryptographic change protection
Twelve critical files are protected by a SHA-256 hash chain that creates a tamper-evident audit trail. Any modification to protected files (lint configurations, CI pipelines, deployment scripts, security exception registries) requires updating the hash chain with password authentication. This prevents unauthorized weakening of security controls.
Structural enforcement
Automated callbacks enforce a maximum of 500 lines per source file and 8 entries per directory. These constraints are checked on every file edit (pre-commit) and in CI. They ensure code remains modular, reviewable, and that security-sensitive logic is isolated into small, auditable units.
Release process
Release binaries are produced exclusively through GitHub Actions CI/CD from tagged commits on the main branch. The release workflow is itself a hash-chain-protected file. Binaries are published as GitHub Releases with a 4-target build matrix (Linux x86_64, Linux aarch64, macOS x86_64, macOS aarch64) using pinned runner images and toolchain versions.
10. Vulnerability Disclosure Program
Context Pilot maintains a responsible disclosure program for security vulnerabilities. We are committed to working with security researchers to verify, address, and publicly acknowledge reported vulnerabilities.
Reporting Channel
ActiveSecurity vulnerabilities should be reported via GitHub Security Advisories. This provides a private, encrypted channel for vulnerability discussion between the reporter and the maintainers. Do not report security vulnerabilities through public GitHub Issues.
Response Commitment
Upon receiving a security report, the maintainers will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment of severity and impact within 5 business days
- Develop and release a fix for confirmed critical/high-severity vulnerabilities within the current development cycle
- Coordinate public disclosure with the reporter after a fix is available
- Credit the reporter in the security advisory (unless anonymity is requested)
Scope
The following are in scope for the vulnerability disclosure program:
- Path traversal vulnerabilities in the file system API
- Authentication/authorization bypasses in the SSE ticket system
- Credential exposure through logging or persistence
- Denial of service vulnerabilities in the orchestration backend
- Remote code execution through any input vector
- Supply chain attacks via compromised dependencies
- Information disclosure of sensitive data (API keys, conversation content)