Mantra 文档

English

简体中文

English

简体中文

Appearance

Security Policy

Effective Date: January 1, 2026 Last Updated: January 2026

Overview

The Mantra team takes security seriously. This document describes our security measures, best practices, and how to report security issues.

1. Security Architecture

1.1 Local-First Design

Mantra adopts a local-first architecture, which means:

  • No Data Exfiltration: All AI session data is stored on your local device
  • No Cloud Dependency: Core features work completely offline
  • Zero Telemetry: No usage behavior data is collected

1.2 Technology Stack Security

ComponentTechnologySecurity Features
BackendRustMemory safety, no data races
FrontendElectron + ReactSandbox isolation, CSP protection
DatabaseSQLiteLocal encrypted storage
Sensitive DetectionRust + regexLocal processing, high performance

2. Data Security

2.1 Storage Encryption

  • Local database uses SQLite encryption extension
  • Sensitive configurations are stored in system keychain
  • Exported files support optional encryption

2.2 Sensitive Information Handling

Mantra's sensitive information detection can identify and redact:

  • API keys (OpenAI, Anthropic, AWS, etc.)
  • Database credentials
  • Access tokens (GitHub, GitLab, etc.)
  • Private keys and certificates
  • Sensitive values in environment variables

2.3 Data Isolation

  • Data for each project is isolated
  • Session data is indexed by time, supporting selective deletion
  • Complete data wipe supported

3. Application Security

3.1 Code Signing

  • macOS: Signed with Apple Developer ID
  • Windows: Signed with EV code signing certificate
  • Ensure you only download Mantra from official channels

3.2 Automatic Updates

  • Update packages are digitally signed and verified
  • HTTPS secure transmission
  • Automatic updates can be disabled in settings

3.3 Minimal Permissions

Mantra only requests necessary system permissions:

  • File system access (to read log files)
  • Network access (only for update checks, can be disabled)

4. Network Security

4.1 Outbound Connections

Mantra only initiates network connections in the following cases:

PurposeTargetCan Disable
Update checkupdates.mantra.app
Crash reportcrash.mantra.app

4.2 No Inbound Connections

Mantra does not listen on any network ports and does not accept external connections.

5. Security Best Practices

5.1 User Recommendations

  • Regularly update to the latest version
  • Use sensitive information detection before sharing sessions
  • Regularly back up important data
  • Only download software from official channels

5.2 Enterprise Users

If you use Mantra in an enterprise environment:

  • Can be deployed via MDM configurations
  • Network features can be disabled for compliance
  • Data is completely local, no DLP policy concerns

6. Vulnerability Disclosure

6.1 Reporting Security Issues

If you discover a security vulnerability, please report it through:

  • Email: security@gonewx.com
  • Encrypted Communication: We support PGP encryption; public key available on our website

6.2 Disclosure Process

  1. Acknowledge receipt within 24 hours
  2. Assess severity and develop fix plan
  3. Coordinate disclosure timing before fix release
  4. Credit reporter in security advisory (if you wish)

6.3 Security Rewards

We appreciate security researchers' contributions. While we don't have a formal Bug Bounty program, we will:

  • Credit you in security announcements
  • Provide Mantra Pro license (after product launch)

7. Security Updates

7.1 Update Policy

  • Critical vulnerabilities: Patch within 24-48 hours
  • High severity: Patch within 7 days
  • Medium/Low severity: Fixed in next regular release

7.2 Security Announcements

Security updates are published through:

8. Compliance

8.1 Privacy Regulations

Mantra's local-first design naturally complies with:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • Personal Information Protection Law

8.2 Audit Support

Enterprise users can request security audit documentation and third-party penetration test reports.

9. Contact Us

For security-related questions:

Last Updated: January 2026