Security
Architecture
- Local-first. memgit itself stores everything on your machine. Nothing leaves it unless you opt into cloud sync.
- End-to-end encrypted sync. memgit cloud encrypts every memory, thread name, and ref on your device (libsodium: Argon2id, XSalsa20-Poly1305, X25519) before upload. The server stores ciphertext and opaque keyed-hash IDs only — we cannot read your memories, and neither can anyone who compromises the server.
- Zero-knowledge accounts. Your passphrase never leaves your device; the server sees only a blind derived key, hashed again at rest. Team keys are sealed to each member's public key. Invite secrets travel in URL fragments, which are never sent to servers.
- The honest trade-off. We cannot reset your passphrase or recover your data without it. That is the point.
Reporting a vulnerability
Email codeforyou4161@gmail.com with details and reproduction steps. Please give us a reasonable window to fix the issue before public disclosure. We do not currently run a paid bounty program, but we credit reporters in release notes with permission.
Machine-readable contact: /.well-known/security.txt