Security architecture for a local-first desktop application with an embedded database.
| Document | Description |
|---|---|
| Threat Model | Attack vectors and risk assessment for a local-first app |
| Injection Prevention | SQL injection analysis and prevention |
| Content Rendering | XSS prevention when rendering imported content |
| Plugin Sandboxing | Future plugin security architecture |
- Parameterized queries always. User data never enters SQL strings directly.
- Read-only query path. The
querycommand runs SELECT statements only. - Sanitize rendered content. DOMPurify on all imported/user-generated HTML.
- Minimal Rust surface. Less code = less attack surface.