YAAMS reads and stores sensitive personal data: chat history, email, calendar, GitHub activity, curated notes. This document describes the threat model, the guarantees YAAMS makes (and does not make), and how to report vulnerabilities.
Do not open a public GitHub issue for security problems.
Use GitHub Security Advisories to file a private report. Include:
- A description of the vulnerability and its impact.
- Steps to reproduce or proof-of-concept code.
- The affected version (
yaams --version). - Your suggested fix or mitigation, if any.
You can expect an acknowledgement within seven days. There is no bug bounty - this is a personal project - but credit in the changelog is offered on request.
Only the latest 0.x release receives security fixes. Pre-1.0 releases may break API and on-disk schema between minor versions; security backports to older minors are not provided. Pin to a specific version if you need stability.
| Version | Supported |
|---|---|
| 0.1.x | yes |
| < 0.1 | no |
- Local-only compute. All extraction, NER, embedding, retrieval, and LLM synthesis run on the same machine. The default LLM backends (
ollama,claudeCLI,codexCLI) are explicit user choices; no data leaves the box unless you point them at a hosted backend. - Append-only items. Raw ingested records are immutable. Edits become new items with
supersedes:links, so destructive bugs cannot silently rewrite history. - Source read-only. Adapters open source databases (iMessage
chat.db, Signal SQLCipher store) read-only and do not modify them. - Idempotent ingest. Re-running an adapter against the same source produces the same item IDs, so retries cannot duplicate or corrupt records.
- At-rest encryption. The YAAMS SQLite database is stored in plaintext at
db_path. If your disk is unencrypted, your YAAMS data is unencrypted. Use FileVault (macOS), LUKS (Linux), or BitLocker (Windows). - OS-level access controls. Any process running as your user can read the database. Lock your screen.
- The LLM backend. If you configure a hosted LLM (
claudeCLI,ollamapointed at a remote host, asubprocessadapter calling a network tool), the synthesis prompt - including grounded snippets from your data - is sent to that backend. Local backends (localollama,dummy) keep everything in-process. - Hugging Face downloads. First-run model fetches go to
huggingface.co. After the cache is populated, embedding runs offline. - GitHub token scope. The
githubadapter uses yourgh auth token. Whatever scopes that token has, YAAMS can use - including reading private repos. Auditgh auth statusif you are unsure. owa-piggytokens. Theteamsandcalendaradapters borrow Microsoft Graph tokens fromowa-piggy. Token security is delegated toowa-piggy's threat model.
| Data | Where it lives | Encryption | Notes |
|---|---|---|---|
| Item bodies | db_path (SQLite) |
filesystem only | text of messages, emails, notes |
| Embeddings | db_path (sqlite-vec) |
filesystem only | derived from item bodies |
| Entity dictionary | config.yaml |
filesystem only | names, aliases, projects |
| Signals (query log) | db_path |
filesystem only | what you searched and which results were marked relevant |
| Hugging Face cache | ~/.cache/huggingface/ |
filesystem only | public model weights, not sensitive |
| GitHub token | not stored by YAAMS | n/a | retrieved per-call from gh auth token |
| Microsoft Graph token | not stored by YAAMS | n/a | borrowed per-call from owa-piggy |
- Enable full-disk encryption on the host.
- Run the YAAMS user account as a standard (non-admin) user.
- Set
db_pathoutside synced folders (iCloud, Dropbox, OneDrive) unless that is intentional. - Keep
config.yaml(entity dictionary, source paths) out of git - the supplied.gitignorealready excludes it. - Prefer local LLM backends (
dummy, localollama) over hosted ones when synthesizing answers from sensitive data. - Review what scopes your
gh auth tokencarries before enabling thegithubadapter. - Use
python -m yaams.cli ingest --dry-runfirst against any new source.
- No process-level isolation between adapters. A bug in any one adapter (e.g. a malformed
.emlxfile crashingemail_mbox.py) can abort the whole ingest run, though the changes from completed sources commit independently. - spaCy NER and sentence-transformers run untrusted model files. The defaults (
xx_ent_wiki_sm,BAAI/bge-m3) are widely-used public models; if you swap them, you accept that risk. - The
claude,codex, andsubprocessLLM backends spawn external processes. The list-argv form prevents shell injection from prompt content, but they inherit the calling shell's environment.