Security and Reporting

Normal setup bugs, docs issues, and feature requests belong in GitHub Issues with redacted diagnostic output.

If you discover a vulnerability, do not open a public issue. The source repository's SECURITY.md asks you to email h164654156465@gmail.com with the description, reproduction steps, and potential impact; GitHub Security Advisories are also available for private reports.

Origin keeps the memory layer local by default: daemon, database, Markdown artifacts, sessions, and git history live on your machine.

That does not make every connected workflow offline. Your AI client may send prompts to its own provider, and Origin can optionally use configured model or API paths for daemon-side language work.

Treat memory as sensitive application data. It can contain project decisions, personal preferences, private codebase details, client names, and old versions preserved by local git history.

If a bug involves a sensitive memory, create a minimal reproduction with fake content instead of sharing the real record.

The daemon binds to 127.0.0.1:7878 by default. That keeps the HTTP API local to the machine for normal use.

Changing ORIGIN_BIND_ADDR to a non-loopback address is an explicit security decision. Do it only for deliberate Docker, VM, or development scenarios where you understand who can reach the daemon.

The public website publishes /.well-known/security.txt for automated discovery. The source repository also carries the canonical security policy, including acknowledgement within 48 hours, a 7-day fix-timeline response target, and the current supported 0.7.x line.

If in doubt, choose the private advisory or email path first. A maintainer can move non-sensitive follow-up work into a public issue later.