# Security notes

Brain Dump runs entirely in your browser. There is no backend; no Brain Dump
server ever sees your files, your queries, or your API keys.

## What is stored, where

- **API keys**: in IndexedDB on the device you're using.
  - In the MVP, keys are stored unencrypted. Any script running on the same
    origin could read them. Brain Dump loads no third-party scripts and applies
    a strict Content-Security-Policy, but if you install a browser extension
    that injects scripts into pages you visit, that extension could read the
    keys. Don't paste keys you wouldn't paste into a browser extension.
  - A future version will add an opt-in passphrase that encrypts keys at rest
    using WebCrypto (PBKDF2 + AES-GCM).
- **Documents and chunks**: in IndexedDB.
- **Embeddings**: in IndexedDB.
- **Conversation history**: in IndexedDB (post-MVP slice).

## Where data is sent

- **Embedding requests** go directly from your browser to the embedding
  provider you configured (Ollama on `localhost:11434`, or OpenAI).
- **Chat requests** go directly from your browser to the chat provider you
  configured (OpenRouter, Ollama, Groq, OpenAI).
- That's it. There are no telemetry endpoints.

## Content-Security-Policy

`notes.html` ships with a tight CSP for scripts + workers and a more
permissive one for connections (necessary for arbitrary URL scraping):

- `default-src 'self'` — only same-origin by default.
- `script-src 'self' 'unsafe-inline'` — `'unsafe-inline'` is required for
  the `<script type="importmap">` block, which points only at local files.
  Third-party libraries are **vendored** under `/vendor/` (see
  `vendor/README.md`); the page loads no external script content.
- `worker-src 'self' blob:` — the pdf.js worker is loaded from `/vendor/`.
- `connect-src 'self' https: <specific hosts>` — `https:` is required so
  URL ingestion (Slice 43) can fetch any HTTPS site the user pastes in.
  Without it, only the listed provider/git API hosts would be reachable.
  Specific hosts (OpenRouter, Groq, OpenAI, Anthropic, GitHub, GitLab) are
  enumerated for documentation even though `https:` already covers them.

The **load-bearing protection** against hostile content is DOMPurify
sanitizing every string that enters the DOM (assistant chat output,
source viewer markdown rendering). The connect-src list is no longer a
strong exfiltration boundary now that arbitrary HTTPS is allowed —
treat any model that ingests untrusted content as a potential exfil
risk regardless.

If you add a provider with a different hostname, the open `https:`
already covers it; the explicit hostnames are documentation only.

## Resetting

Use **Settings → Reset vault** to clear all IndexedDB data. The browser's
"Clear site data" works too.

## Reporting issues

Open a GitHub issue. Please don't include your API keys in the report.