Skip to content
Motus
How it works Insights Boundaries GitHub

Trust boundary

Security starts with an honest scope.

Motus is a local developer tool, not a security boundary. Protect its Store and source records as sensitive data, and keep your existing identity, access, host, network, and secrets controls in place.

Defaults Sensitive data Known limits Report a vulnerability

Local by default

The Motus 0.6.0 work ledger uses a project-local SQLite Store by default. The CLI does not require a hosted Motus account, and this website is static. It uses no analytics, cookies, forms, third-party fonts, or client-side scripts.

Local does not mean automatically secure. File permissions, device access, backups, and retention remain the operator's responsibility.

Treat work records as sensitive

Runs, events, evidence references, command metadata, and runtime session files can reveal details about your systems and work. Keep the Store and any source traces within the access boundary appropriate for that work.

  • Avoid passing secrets in command arguments, prompts, logs, or evidence.
  • Review optional hooks and adapters before enabling them.
  • Restrict access to local Store and session files.
  • Apply your normal backup, retention, and deletion controls.

Known limits

Motus uses defense-in-depth redaction for common secret patterns, but pattern matching cannot recognize every proprietary credential format. Do not rely on redaction as the only safeguard.

The current product does not encrypt the Store, authenticate users, isolate untrusted tenants, authorize workflows, or sign Work Receipts for cross-organization verification.

Reassess this threat model before remote hosting, multi-user write access, or data transfer outside the operator's existing trust boundary.

Report a vulnerability privately

Do not open a public issue for a security vulnerability. Use GitHub Security Advisories and include reproduction steps, affected versions, and the expected impact.

The repository's security policy is the current source for supported versions and response details.

Motus

A local work ledger for consequential work.

A Veritas Collaborative, LLC project. Apache 2.0.
ProjectGitHubPyPI 0.6.0Release notes
TrustSecurityPrivacyTerms