Summary
Per-adapter security audit of every module under python/logosdb/ that wraps LogosDB or forwards user/network content. MCP and CLI centralize validation in mcp/src/security.ts; Python integrations often call _core directly and may bypass those guards.
Part of #108. Follow-up from #74.
Modules in scope
| Module |
Integration |
Audit focus |
langchain.py |
LangChain VectorStore |
User text/metadata passthrough; collection name → namespace |
llamaindex.py |
LlamaIndex |
Same |
haystack.py |
Haystack |
Same |
openai.py |
OpenAI embeddings + store |
API keys in env; request timeouts; text to embed |
anthropic.py |
Claude embeddings |
Same |
cohere.py |
Cohere |
Same |
mistral.py |
Mistral |
Same |
huggingface.py |
HF embeddings |
Model id trust; local vs remote |
mem0.py |
Mem0 memory layer |
External memory IDs; text injection |
cognee.py |
Cognee RAG |
Graph + vector paths |
crewai.py |
CrewAI knowledge |
Document paths |
camel.py |
CAMEL-AI |
Memory keys |
superlinked.py |
Superlinked |
Compute + storage boundary |
vibe.py / _vibe_cli.py |
Mistral Vibe CLI |
Shell boundaries, config paths |
sizing.py |
Sizing calculator |
Read-only; confirm no path writes |
__init__.py / __main__.py |
Package entry |
Re-exports only |
(Adjust table if modules are added/removed before audit.)
Checklist (apply to each module)
Deliverables
Acceptance criteria
Out of scope
- Node.js
nodejs/ package (track under #108 core audit section).
- Third-party framework CVEs (LangChain, etc.) — dependency pinning only.
Related
- #108
- #74
- Unicode policy issue (create separately) — shared text normalization for adapters
Summary
Per-adapter security audit of every module under
python/logosdb/that wraps LogosDB or forwards user/network content. MCP and CLI centralize validation inmcp/src/security.ts; Python integrations often call_coredirectly and may bypass those guards.Part of #108. Follow-up from #74.
Modules in scope
langchain.pyllamaindex.pyhaystack.pyopenai.pyanthropic.pycohere.pymistral.pyhuggingface.pymem0.pycognee.pycrewai.pycamel.pysuperlinked.pyvibe.py/_vibe_cli.pysizing.py__init__.py/__main__.py(Adjust table if modules are added/removed before audit.)
Checklist (apply to each module)
os.system,subprocesswithout list args).[a-zA-Z0-9_\-\.]+) or documented exception.logosdb.validate_text()if added by Unicode policy issue).Deliverables
docs/security-integrations.md(short).Acceptance criteria
Out of scope
nodejs/package (track under #108 core audit section).Related