Techlead is designed as a local-first development tool with the following security characteristics:

• Runs entirely on your local machine
• No cloud services or external data transmission
• Knowledge database stored locally in .techlead/

• HTTP server binds to localhost by default
• MCP mode uses stdio (no network)
• No authentication required (local tool assumption)

• SQLite database with no encryption at rest
• Embeddings stored alongside text content
• Session history stored in plaintext JSONL

• Requires local Ollama instance for embeddings
• Claude Code integration via MCP protocol
• No external API calls for core functionality

• Process sensitive credentials or secrets
• Store PII or confidential information in decisions/learnings
• Expose the HTTP server to public networks

1. Run only in trusted development environments
2. Keep .techlead/ in .gitignore to avoid committing local data
3. Use firewall rules if running HTTP server in shared environments
4. Regularly backup or clear .techlead/knowledge.db if it contains sensitive context

If you discover a security vulnerability:

1. Do not open a public issue
2. Email security concerns to the repository maintainer
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We aim to respond to security reports within 48 hours and will work with you to understand and address the issue.

This security policy applies to:

• The techlead binary and all subcommands
• The MCP server integration
• The HTTP server endpoints
• The knowledge database and its contents

Third-party dependencies (Ollama, sqlite-vec, etc.) have their own security policies.