Local authority narrows the default attack surface
The base engine owns one local data directory. It does not require network credentials, a database service, an embedding provider, or a cloud control plane.
- Filesystem permissions and host isolation remain operator responsibilities.
- At-rest encryption is not claimed by the engine.
- A local attacker with process or filesystem authority remains inside the threat model.
The optional server is loopback-first
Remote exposure is a deliberate operator action. Authentication, TLS termination, rate policy, and process supervision must be configured before accepting untrusted network traffic.
- Request, response, concurrency, and timeout limits are bounded.
- Stable error codes avoid leaking internal detail.
- Successful reads remain proof-bearing.
Durable formats fail closed
Checksums, digest chaining, canonical snapshots, versioned formats, and compatibility fixtures detect corruption and unsupported state before normal service continues.
- Indexes are rebuildable and never override log authority.
- Restore publishes only after complete verification.
- Compaction commits an anchored generation.
Proofs do not invent trust
A valid result proof demonstrates reexecution against the supplied witness and caller-pinned anchor. The application still owns anchor distribution, identity, key policy, and backup custody.
- Checksum is not signature.
- Proof is not authorization.
- Verification never fetches missing trust material implicitly.
Report privately
Do not open a public issue for a suspected vulnerability. Include the affected version, reproduction, impact, and any proposed mitigation in a private report.
- Security contact: security@celiums.ai
- The public GitHub security policy defines supported versions and reporting guidance.