If you discover a security vulnerability in Neotoma, please report it privately. Do not open a public issue.

• Preferred: Open a GitHub Security Advisory (draft) or contact the maintainers via the repository.
• Response time: We aim to respond within 48 hours.
• Include: Description of the vulnerability, steps to reproduce, potential impact, and suggested fix (if any).

Neotoma implements defense-in-depth:

• Row-level security (RLS) on all tables
• OAuth 2.0 with PKCE for MCP authentication (recommended)
• Audit trail for data operations
• User-controlled data with export and deletion
• End-to-end encryption planned (v2.0.0)

See Auth and Privacy for details.

When deploying or developing Neotoma:

1. Use OAuth for MCP (not session tokens).
2. Verify RLS and configuration: npm run doctor.
3. Keep storage paths and data directories private.
4. Rotate service keys regularly.
5. Never commit .env or credentials.
6. Use HTTPS for all API endpoints.

See Getting started for secure setup.