Security & Data Handling

Last updated: 2026-04-25 · v2.2

SoloMD is a pure client-side desktop / mobile app. There is no SoloMD server, no SoloMD account, no SoloMD cloud. Below is every place data flows in the product, and exactly how we protect it.

1. Your notes — always on your disk

• Every note is a plain .md file in the workspace folder you choose. No proprietary database, no opaque blob format.
• Uninstall SoloMD and your files are still there, openable in Obsidian / VS Code / Notepad / cat. There is no lock-in.
• Tauri's filesystem permissions are scoped to the workspace you opened. The app cannot scan the rest of your disk.
• No "sync to cloud" code path exists. We literally couldn't upload your notes if we wanted to.

2. API keys — OS keychain, never on disk in plain text

• API keys for the 14 supported AI providers are stored via keyring-rs, which means:
  • macOS → Keychain (hardware-encrypted)
  • Windows → Credential Manager
  • Linux → libsecret / GNOME Keyring
• Keys are never written to localStorage, settings.json, log files, or any config file.
• The key only leaves the keychain at the moment of an AI call — read by the Rust backend, sent to the vendor, then dropped. The frontend never holds the plain-text key.
• When you remove a provider's key, it's deleted from the keychain immediately.

3. AI rewrite — opt-in, direct, scoped to your selection

• AI is off by default. You have to enable it in settings and supply your own key (BYOK). No SoloMD-hosted models.
• When you trigger a rewrite, only the selected text is sent. We don't include the file name, file path, surrounding paragraphs, or any other note metadata.
• The request goes directly from your machine to the provider you picked — there is no SoloMD relay, no logging, no interception. We can't see the content because it doesn't pass through us.
• The "verify key" step also calls the provider's /models endpoint directly.

4. MCP server — read-only by default, with path-traversal guard

• The bundled solomd-mcp binary exposes 6 read-only tools by default: list_notes, read_note, search, get_backlinks, list_tags, get_outline.
• Write tools (write_note, append_to_note) are only enabled if you start the server with the explicit --allow-write flag. Default = read-only.
• Every path argument is canonicalized and checked against the workspace root. Attempts like ../../etc/passwd are rejected before any I/O happens.
• MCP runs locally over stdio — it doesn't open a network port.

5. Local RAG / semantic search — never leaves the disk

• v2.3 adds a semantic-search panel (⌘⇧F). Like everything else in SoloMD it is off by default. Settings → "Enable semantic search" turns it on; until then nothing is scanned and no index file is created.
• When you opt in, your notes are split into paragraphs and embedded with a hashed character-trigram embedder that runs entirely in our Rust process. No model file is downloaded — the bundled embedder needs no weights and no network. The vectors are stored in <workspace>/.solomd/embeddings.sqlite, a plain SQLite file you can sqlite3 <file> .schema to inspect.
• Queries are also embedded locally. Ranking is brute-force cosine similarity in Rust — there is no remote API call, no query log, no network traffic.
• The index folder .solomd/ is auto-added to your workspace's .gitignore, so AutoGit never commits embeddings into your history.
• Privacy summary: query text → local embedding function → local SQLite scan → ranked results. The query text never touches a network socket.

6. AutoGit — local commits, never auto-pushed

• Auto-commits go to a local .git repository inside your workspace. Nothing is pushed to any remote automatically.
• You control remotes. If you want to push to GitHub / a private server, do it manually with the git tool of your choice.
• Because it's a normal git repo, you can audit every commit with git log — no hidden state.

7. Telemetry — minimal, opt-out, content-free, inspectable

• We send anonymous event counters (app launched, which feature was used) to help us decide what to build next.
• We never send: note content, file names, file paths, workspace paths, API keys, search queries, or any personally identifiable info.
• One toggle in settings turns it off. App Store builds default to off.
• Want to see exactly what's being reported? Open DevTools and run localStorage.setItem('solomd.telemetryDebug', '1'). Every event will be printed to the console verbatim.

8. Sandboxing & supply chain

• Tauri 2 isolates the webview from the OS — the renderer can only call Rust commands we explicitly registered.
• The Rust backend has no eval, no shell-out to user-supplied strings.
• We pin all dependencies and ship the lockfile. Every release is built from a tagged commit on GitHub Actions.
• macOS builds are notarized by Apple; Windows builds are signed.

9. Transparency — open source MIT

Every claim above is auditable. The whole codebase is MIT-licensed:

• Want to verify keychain handling? Read app/src-tauri/src/ai_proxy.rs
• Want to verify MCP path checks? Read mcp-server/src/main.rs
• Want to verify there's no telemetry of file content? grep the repo: trackEvent

Reporting a vulnerability

Found something? Email [email protected] with details. We'll respond within 72 hours and credit you in the release notes (unless you'd rather stay anonymous).

中文版 · Privacy Policy