Trust boundary
Security starts with an honest scope.
Motus is a local developer tool, not a security boundary. Protect its Store and source records as sensitive data, and keep your existing identity, access, host, network, and secrets controls in place.
Local by default
The Motus 0.6.0 work ledger uses a project-local SQLite Store by default. The CLI does not require a hosted Motus account, and this website is static. It uses no analytics, cookies, forms, third-party fonts, or client-side scripts.
Local does not mean automatically secure. File permissions, device access, backups, and retention remain the operator's responsibility.
Treat work records as sensitive
Runs, events, evidence references, command metadata, and runtime session files can reveal details about your systems and work. Keep the Store and any source traces within the access boundary appropriate for that work.
- Avoid passing secrets in command arguments, prompts, logs, or evidence.
- Review optional hooks and adapters before enabling them.
- Restrict access to local Store and session files.
- Apply your normal backup, retention, and deletion controls.
Known limits
Motus uses defense-in-depth redaction for common secret patterns, but pattern matching cannot recognize every proprietary credential format. Do not rely on redaction as the only safeguard.
The current product does not encrypt the Store, authenticate users, isolate untrusted tenants, authorize workflows, or sign Work Receipts for cross-organization verification.
Report a vulnerability privately
Do not open a public issue for a security vulnerability. Use GitHub Security Advisories and include reproduction steps, affected versions, and the expected impact.
The repository's security policy is the current source for supported versions and response details.