Turbopuffer GUI is an Electron desktop application that implements several security measures:

• API keys are encrypted using Electron's safeStorage API
• Credentials are stored in the OS-native secure storage:
  • macOS: Keychain
  • Windows: DPAPI (Data Protection API)
  • Linux: Secret Service API (libsecret)
• Connection metadata (names, regions) is stored unencrypted locally

• Context Isolation: Enabled - renderer has no direct access to Node.js
• Node Integration: Disabled in renderer process
• Sandbox: Enabled for renderer process
• Security Fuses: Enabled to prevent common vulnerabilities
  • runAsNode disabled
  • ASAR integrity validation enabled
  • Node.js CLI flags disabled in packaged app

• All connections to Turbopuffer use HTTPS
• No data is sent to third-party services
• API keys are only transmitted to configured Turbopuffer endpoints
• Domain-restricted requests: All outgoing network requests are filtered and blocked unless they match allowed patterns

This application disables Chromium's web security (webSecurity: false) to allow the Turbopuffer SDK to make cross-origin requests from the renderer process. This is a common pattern in Electron apps that need to communicate with external APIs.

Mitigations in place:

1. Domain allowlist: All outgoing requests are intercepted and checked against an allowlist:

   • *.turbopuffer.com - Turbopuffer API endpoints
   • localhost / 127.0.0.1 - Development server only
   • file:// - Local application files
   • Requests to any other domain are blocked

2. Context isolation: The renderer process cannot access Node.js APIs directly

3. No node integration: require() and Node.js modules are not available in the renderer

Planned improvement: Move all Turbopuffer API calls to the main process via IPC, which would eliminate the need for disabled web security entirely.

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Please DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities by emailing the maintainer directly or using GitHub's private vulnerability reporting feature:

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Fill out the form with details

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)
• Your contact information for follow-up questions

• Acknowledgment: Within 48 hours of your report
• Initial Assessment: Within 7 days
• Resolution Timeline: Depends on severity
  • Critical: 24-48 hours
  • High: 7 days
  • Medium: 30 days
  • Low: 90 days

• We will work with you to understand and resolve the issue
• We will credit you in the release notes (unless you prefer anonymity)
• We ask that you give us reasonable time to address the issue before public disclosure

The application stores data locally in the user's app data directory:

• macOS: ~/Library/Application Support/turbopuffer-gui/
• Windows: %APPDATA%/turbopuffer-gui/
• Linux: ~/.config/turbopuffer-gui/

Files stored:

• connections.json - Connection metadata (unencrypted)
• settings.json - Application settings (unencrypted)
• query-history/ - Query history per namespace (unencrypted)

Note: API keys are NOT stored in these files; they are stored in the OS secure storage.

This project uses third-party npm packages. We recommend:

• Running npm audit periodically
• Keeping dependencies updated
• Reviewing the dependency tree for untrusted packages

1. Keep the application updated to receive security patches
2. Use strong, unique API keys for your Turbopuffer accounts
3. Don't share your configuration files as they may contain sensitive metadata
4. Lock your computer when stepping away to protect stored credentials
5. Review connection settings before connecting to ensure correct endpoints

For security concerns, contact the maintainer through GitHub's private vulnerability reporting or open a discussion for general security questions.