Skip to the content.

๐Ÿ›ก๏ธ Security Policy โ€” NakshAstraMCP

We are committed to delivering a highly secure, private-first experience for local codebase context retrieval. All processing is local-only โ€” your code never leaves your machine.


โœ… Supported Versions

Security updates and maintenance patches are actively applied to these releases:

Version Status
v3.20.x (Current) โœ… Active โ€” Fully Supported
v3.19.x โœ… Active Security Support
v3.16.x โ€“ v3.18.x โœ… Maintained (critical patches only)
v3.0.0 โ€“ v3.15.x โŒ Outdated โ€” Please upgrade
< v3.0.0 โŒ Unsupported

[!IMPORTANT] Always run the latest release. Outdated versions may contain unpatched vulnerabilities and will not receive security fixes.


๐Ÿ”’ Reporting a Security Vulnerability

We prioritize local privacy and workspace protection. If you identify a security issue, vulnerability, sandbox escape, or path traversal risk โ€” do not open a public GitHub issue.

Private Disclosure Process

  1. Email: Send your report directly to vijaytank132@gmail.com
  2. Subject Line: Use exactly: [SECURITY VULNERABILITY] - NakshAstraMCP
  3. Include in your report:
    • A detailed description of the suspected vulnerability and its potential impact.
    • Clear, step-by-step reproduction instructions (with minimal sample code or commands where applicable).
    • Your operating system, terminal environment, and NakshAstraMCP version:
      nakshastramcp --version
      

โšก Our Response Protocol

Stage Commitment
Acknowledgment We will confirm receipt of your private email within 48 hours
Investigation We will reproduce and analyze the reported behavior internally
Resolution We will implement a patch and notify you when a secure hotfix release is available for download
Confidentiality Your identity will remain completely confidential throughout the entire process

๐Ÿ” Built-In Security Architecture

NakshAstraMCP is designed with security-first principles:

Feature Description
Path Jail All file read and index operations are validated against registered workspace roots โ€” no traversal outside boundaries
Secret Detection Integrated scanner (using detect-secrets with regex fallback) prevents API keys, tokens, and passwords from being indexed
User-Space Only No administrator or root privileges are ever requested
Local-Only Processing No codebase data, AST graphs, or analysis results leave your machine
Grammar Lock (TOFU) SHA-256 hashes of Tree-sitter grammar wheels are verified on every startup to detect tampering
SSL Environment Repair Invalid SSL certificate paths from other tools (e.g., PostgreSQL) are automatically removed from the environment to prevent SSL failures

๐Ÿ  Home ยท ๐Ÿš€ Setup Guide ยท ๐Ÿ’ฌ Discussions