Security and privacy are foundational principles of the Forma Design Intelligence Framework. Because Forma operates as an AI-driven tool that actively generates, reads, and audits code on your local machine, we have architected the system to be exceptionally secure against common AI vulnerabilities (like Prompt Injection, Data Exfiltration, and Cross-Site Scripting).

Forma is a 100% local framework. Unlike SaaS platforms that harvest your codebase for training data, Forma runs strictly on your machine.

• No API Keys Required by Forma: Forma relies on your IDE's LLM (e.g., Claude, Cursor, Windsurf).
• No Data Exfiltration: We do not collect analytics, telemetry, crash reports, or source code.
• Air-Gapped Viability: The core scripts (trigger.py, design_system.py, etc.) do not make external HTTP requests. They strictly process local JSON knowledge databases.

To protect your system from AI hallucination or malicious prompt injection, Forma enforces strict boundaries:

AI outputs often contain file paths. If a malicious prompt commands the AI to read or write to sensitive OS files (e.g., C:\Windows\System32 or /etc/shadow), Forma blocks it.

• Our internal SecuritySandbox strictly validates all directory and file paths using os.path.abspath.
• If the resolved path escapes the current workspace boundary, a SecurityException is triggered, and the execution is immediately halted.

Forma never uses os.system(), subprocess.run(), or eval() to execute raw strings returned by the LLM. The AI is strictly limited to generating design tokens (JSON) and parsing syntax through our rigid Python engine.

The Frontend Architect Node is governed by an Omnipotent Security Directive. When Forma generates UI code for your projects, it strictly adheres to modern security standards:

• React: Absolute ban on dangerouslySetInnerHTML.
• Vue: Absolute ban on the v-html directive.
• Svelte: Absolute ban on the {@html} tag.
• Vanilla JS: Absolute ban on element.innerHTML. It enforces textContent or innerText.

This ensures that the web applications generated by Forma are immune to Cross-Site Scripting (XSS) injections by default.

If you discover a vulnerability in Forma's execution pipeline, please report it immediately:

1. Do not open a public GitHub issue.
2. Email your findings to security@forma.dev (placeholder for actual contact).
3. We will acknowledge receipt within 24 hours and issue a patch globally.