Skip to content

Security: toddegray/integrator

Security

SECURITY.md

Security

Reporting a vulnerability

Email Todd Gray at toddegray@gmail.com with the subject line integrator security. Please include:

  • What the vulnerability allows an attacker to do.
  • Steps to reproduce (message, skill, flags, expected vs. actual behavior).
  • Your affiliation and preferred credit in the fix changelog.

Response SLA is best-effort — this is a solo-maintained MIT project.

Threat model

integrator is designed to run on an integration engineer's workstation or inside a compliant environment.

What integrator defends against

  • Outbound PHI leakage by default. All skills run locally. Config defaults disable cloud inference. Memory never leaves the machine. No telemetry.
  • PHI in cloud calls when cloud is opted into. The redact_phi config flag (default true) runs a structural PHI scrubber (src/inference/redact.ts) before any outbound request. This is best-effort, not a compliance certification.

What integrator does NOT defend against

  • A compromised host. If your workstation is compromised, the local SQLite memory and any messages you paste are accessible to the attacker.
  • Accidental check-in of the memory DB. ~/.integrator/ is outside the project tree so this is unlikely, but don't commit ~/.integrator/data/integrator.db to a git repo.
  • Secure-erase of deleted entries. SQLite may retain freed pages until VACUUM. If you need to scrub a specific entry, follow it with VACUUM.
  • HIPAA compliance. integrator is a tool, not a covered product. Your deployment environment, access controls, and BAA posture are your responsibility. See the disclaimer at the top of the README.

Defense in depth recommendations

  • Keep ~/.integrator/ on an encrypted volume (FileVault on macOS, LUKS on Linux). The default config file permission is 0600.
  • Keep cloud inference disabled unless you have a specific, reviewed use case.
  • If you enable cloud inference, keep redact_phi=true and review src/inference/redact.ts against your organization's PHI policy.
  • If you build the MCP server into an organization-shared binary, review the args/command paths in your client config for path-injection risks.

Supply chain

  • Runtime: Bun + TypeScript, no bundled C dependencies.
  • Direct dependencies: zod, @anthropic-ai/sdk, @modelcontextprotocol/sdk. See package.json and bun.lock for pinned versions.
  • No post-install scripts are shipped.
  • No network calls happen at install, build, or test time.

Known limitations

  • The HL7 parser is not a full compliance validator. HAPI FHIR remains ground truth for FHIR validation.
  • The FHIR validator does not enforce US Core / CARIN / Da Vinci profiles in v1.0.
  • The vendor-quirk memory is user-scoped. Quirks don't sync across users or machines by design (no phone-home). If you want team sharing, export the DB, share it, and import it on the other machine.

There aren’t any published security advisories