If you discover a security vulnerability in SynaBun, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities.
- Use GitHub's private vulnerability reporting to submit your report.
- Include: description of the vulnerability, steps to reproduce, and potential impact.
We will acknowledge reports within 72 hours and aim to release a fix within 7 days for critical issues.
SynaBun is designed as a local-first tool. All components run on your machine:
| Component | Default Binding | Auth |
|---|---|---|
| SQLite Database | File-based (data/memory.db) |
N/A (filesystem) |
| Neural Interface | 0.0.0.0:3344 |
None |
| MCP Server | stdio (no network) | N/A |
Important: The Neural Interface binds to all network interfaces (0.0.0.0) by default, which means it is accessible from other devices on your network. If you need to restrict access, set up a firewall rule or reverse proxy.
| File | Contains | Gitignored? |
|---|---|---|
.env |
Configuration overrides, bridge config | Yes |
data/mcp-api-key.json |
API key for HTTP MCP transport | Yes |
mcp-server/data/custom-categories-*.json |
Category names and descriptions only | No (safe) |
data/hook-features.json |
Feature flags only | No (safe) |
Never commit .env to version control. It is listed in .gitignore by default. If you accidentally commit it, rotate all API keys immediately.
Note:
connections.jsonhas been deprecated in favor of namespaced.envvariables. If you still have one, it is auto-migrated on startup and renamed toconnections.json.bak.
- The Neural Interface's
/api/settingsendpoint masks API keys in responses (shows only the last 4 characters). - API keys are never logged to stdout/stderr.
- Keys are read from
.envat startup and on config reload.
The Neural Interface blocks all Cloudflare tunnel traffic (detected via cf-connecting-ip header) except to the /mcp endpoint. This prevents accidental exposure of the management UI when using tunnels for remote MCP access.
- Protect the database file. The SQLite database (
data/memory.db) contains all your memories. Use filesystem permissions to restrict access. - Do not expose the Neural Interface to the public internet. It has no authentication. Use it only on localhost or behind a VPN/reverse proxy with auth.
- Back up regularly. Copy
data/memory.dbto a safe location. The database file contains all memories and vectors.
SynaBun depends on:
- @huggingface/transformers — for local embedding generation (ONNX runtime)
- Express.js — for the Neural Interface server
- @modelcontextprotocol/sdk — for MCP protocol communication
Run npm audit periodically in both mcp-server/ and neural-interface/ to check for known vulnerabilities.