If you discover a security vulnerability in meshgraph, please report it responsibly.

Email: [email protected]

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact

We'll respond within 48 hours and work with you to fix the issue before any public disclosure.

meshgraph is designed to be self-hosted. Security considerations:

• API keys are stored in the local SQLite database. In production, use environment variables.
• Authentication uses JWT with bcrypt password hashing.
• CORS defaults to * — lock it down for production deployments.
• File uploads are not currently supported (text-only ingestion).
• LLM calls send your document content to your configured provider (Claude/GPT). Use Ollama for fully offline operation.