[{"data":1,"prerenderedAt":503},["ShallowReactive",2],{"docs-navigation":3,"\u002Fsecurity":80,"\u002Fsecurity-surround":500},[4,14,50,56,62,68,74],{"title":5,"path":6,"stem":7,"children":8},"Getting Started","\u002Fgetting-started","1.getting-started\u002Findex",[9,10],{"title":5,"path":6,"stem":7},{"title":11,"path":12,"stem":13},"Usage","\u002Fgetting-started\u002Fusage","1.getting-started\u002Fusage",{"title":15,"path":16,"stem":17,"children":18},"Packs","\u002Fpacks","2.packs",[19,22,28,34,40,44],{"title":20,"path":16,"stem":21},"Pack System","2.packs\u002Findex",{"title":23,"path":24,"stem":25,"children":26},"Pack Commands","\u002Fpacks\u002Fcommands","2.packs\u002Fcommands\u002Findex",[27],{"title":23,"path":24,"stem":25},{"title":29,"path":30,"stem":31,"children":32},"Curation","\u002Fpacks\u002Fcuration","2.packs\u002Fcuration\u002Findex",[33],{"title":29,"path":30,"stem":31},{"title":35,"path":36,"stem":37,"children":38},"Personas","\u002Fpacks\u002Fpersonas","2.packs\u002Fpersonas\u002Findex",[39],{"title":35,"path":36,"stem":37},{"title":41,"path":42,"stem":43},"Pack Prompt","\u002Fpacks\u002Fprompt","2.packs\u002Fprompt",{"title":45,"path":46,"stem":47,"children":48},"Skills","\u002Fpacks\u002Fskills","2.packs\u002Fskills\u002Findex",[49],{"title":45,"path":46,"stem":47},{"title":51,"path":52,"stem":53,"children":54},"Knowledge Graph & Memory","\u002Fmemory","3.memory\u002Findex",[55],{"title":51,"path":52,"stem":53},{"title":57,"path":58,"stem":59,"children":60},"Configuration","\u002Fconfiguration","4.configuration\u002Findex",[61],{"title":57,"path":58,"stem":59},{"title":63,"path":64,"stem":65,"children":66},"Architecture","\u002Farchitecture","5.architecture\u002Findex",[67],{"title":63,"path":64,"stem":65},{"title":69,"path":70,"stem":71,"children":72},"Commands","\u002Fcommands","6.commands\u002Findex",[73],{"title":69,"path":70,"stem":71},{"title":75,"path":76,"stem":77,"children":78},"Security","\u002Fsecurity","7.security\u002Findex",[79],{"title":75,"path":76,"stem":77},{"id":81,"title":75,"body":82,"description":492,"extension":493,"links":494,"meta":495,"navigation":497,"path":76,"seo":498,"stem":77,"__hash__":499},"docs\u002F7.security\u002Findex.md",{"type":83,"value":84,"toc":474},"minimark",[85,90,94,97,101,130,134,141,146,213,216,220,223,253,257,260,270,273,276,280,287,328,332,343,347,353,356,360,461,465],[86,87,89],"h2",{"id":88},"local-first-is-an-attack-surface-decision","Local-First Is an Attack Surface Decision",[91,92,93],"p",{},"Working Mind runs entirely on your machine. No cloud backend. No data relay. No hosted model. Every byte of your data stays on your disk, and every network request goes directly from your machine to the LLM provider you chose.",[91,95,96],{},"This isn't a privacy feature tacked on after the fact. The entire architecture is built around the principle that the safest data is data that never leaves your machine.",[86,98,100],{"id":99},"what-working-mind-never-does","What Working Mind Never Does",[102,103,104,112,118,124],"ul",{},[105,106,107,111],"li",{},[108,109,110],"strong",{},"Never opens a listening port."," The application is a terminal client, not a server. There is no HTTP server, no WebSocket, no REST API exposed to the network.",[105,113,114,117],{},[108,115,116],{},"Never sends your data to a third party."," The only outbound network traffic is to your configured LLM provider (OpenAI, Anthropic, Google, OpenRouter). Working Mind does not phone home, collect telemetry, or report usage.",[105,119,120,123],{},[108,121,122],{},"Never stores credentials in the cloud."," API keys live as environment variables on your machine. No keychain, no credential manager, no remote vault.",[105,125,126,129],{},[108,127,128],{},"Never runs code you didn't approve."," Tool calls require explicit confirmation by default. The agent cannot execute arbitrary commands without your consent.",[86,131,133],{"id":132},"the-mcp-security-model","The MCP Security Model",[91,135,136,137,140],{},"Working Mind connects to MCP (Model Context Protocol) servers using ",[108,138,139],{},"stdio transport only",". This is a deliberate choice with specific security implications:",[142,143,145],"h3",{"id":144},"stdio-vs-ssehttp","Stdio vs. SSE\u002FHTTP",[147,148,149,165],"table",{},[150,151,152],"thead",{},[153,154,155,159,162],"tr",{},[156,157,158],"th",{},"Aspect",[156,160,161],{},"Stdio (Working Mind)",[156,163,164],{},"SSE\u002FHTTP (Other tools)",[166,167,168,180,191,202],"tbody",{},[153,169,170,174,177],{},[171,172,173],"td",{},"Network exposure",[171,175,176],{},"None -- local process only",[171,178,179],{},"Open port, accessible to other processes",[153,181,182,185,188],{},[171,183,184],{},"Attack surface",[171,186,187],{},"Process boundary only",[171,189,190],{},"HTTP server with request parsing",[153,192,193,196,199],{},[171,194,195],{},"Authentication",[171,197,198],{},"OS process isolation",[171,200,201],{},"Must implement auth layer",[153,203,204,207,210],{},[171,205,206],{},"Known CVEs",[171,208,209],{},"0",[171,211,212],{},"50+ across MCP implementations",[91,214,215],{},"The MCP protocol specification supports multiple transport layers. Working Mind exclusively uses stdio, which means each MCP server runs as a child process communicating through stdin\u002Fstdout pipes. No network socket is ever created.",[142,217,219],{"id":218},"mcp-child-process-isolation","MCP Child Process Isolation",[91,221,222],{},"Each MCP server runs as an isolated child process:",[224,225,226,241,247],"ol",{},[105,227,228,231,232,236,237,240],{},[108,229,230],{},"Environment variables are filtered."," The child process receives only the environment variables declared in the pack's ",[233,234,235],"code",{},"pack.json",". Your full ",[233,238,239],{},"process.env"," is not inherited.",[105,242,243,246],{},[108,244,245],{},"The process cannot dial out"," beyond what its own code does (e.g., the brave-search server makes HTTPS requests to the Brave API). There is no general-purpose network proxy.",[105,248,249,252],{},[108,250,251],{},"The process terminates when Working Mind terminates."," No daemon mode, no background service, no zombie processes.",[142,254,256],{"id":255},"confirmation-gates","Confirmation Gates",[91,258,259],{},"By default, every tool call from the agent requires your approval:",[261,262,267],"pre",{"className":263,"code":265,"language":266},[264],"language-text","[Tool Call] memory_create_entities\n  entities: [{ name: \"Project Alpha\", observations: [...] }]\n  \n  Approve? [Enter = yes, type reason = no]\n","text",[233,268,265],{"__ignoreMap":269},"",[91,271,272],{},"This prevents the agent from silently making changes to your knowledge graph, searching the web, or scraping URLs without your knowledge.",[91,274,275],{},"MCP tools currently bypass this gate (they are considered non-destructive). Future releases will add per-tool destructive flags so you can control which MCP tools require confirmation.",[86,277,279],{"id":278},"knowledge-graph-integrity","Knowledge Graph Integrity",[91,281,282,283,286],{},"Your knowledge graph is stored as a SQLite database on disk (",[233,284,285],{},"~\u002F.wmind\u002Fmemory.sqlite"," by default). This means:",[102,288,289,299,309,318],{},[105,290,291,294,295,298],{},[108,292,293],{},"You can read it with any SQLite tool."," No proprietary format, no database lock-in. ",[233,296,297],{},"sqlite3 ~\u002F.wmind\u002Fmemory.sqlite"," to inspect.",[105,300,301,308],{},[108,302,303,304,307],{},"You can back it up with ",[233,305,306],{},"cp","."," One file, one copy command.",[105,310,311,317],{},[108,312,313,314,307],{},"You can delete it with ",[233,315,316],{},"rm"," No orphaned data in a remote database you forgot about.",[105,319,320,323,324,327],{},[108,321,322],{},"Corruption recovery is automatic."," On every open, ",[233,325,326],{},"PRAGMA integrity_check"," runs. If the database is corrupt, it is renamed and a fresh one is created.",[142,329,331],{"id":330},"current-limitations","Current Limitations",[333,334,337],"callout",{"color":335,"icon":336},"warning","i-lucide-flask-conical",[91,338,339,342],{},[108,340,341],{},"Alpha Release."," The knowledge graph has no access control, no audit log, and no version history. A tool call can overwrite or delete entities without undo. Contradiction detection is pattern-based and covers common cases (preference, state, scalar, location), but does not use LLM reasoning. These safeguards will be improved in future releases.",[86,344,346],{"id":345},"data-flow-diagram","Data Flow Diagram",[261,348,351],{"className":349,"code":350,"language":266},[264],"Your Terminal\n    |\n    | stdin\u002Fstdout (pipes, no network)\n    |\nWorking Mind (agent loop)\n    |\n    |--- HTTPS ---> LLM Provider (OpenAI, Anthropic, Google, OpenRouter)\n    |\n    |--- stdin\u002Fstdout (pipes, no network)\n    |\n    MCP Server (e.g., brave-search, firecrawl)\n         |\n         |--- HTTPS ---> External API (Brave, Firecrawl, etc.)\n",[233,352,350],{"__ignoreMap":269},[91,354,355],{},"Notice: there are exactly two kinds of network traffic, and both are direct HTTPS connections initiated by code running on your machine. No proxy, no relay, no middleware.",[86,357,359],{"id":358},"threat-model","Threat Model",[147,361,362,375],{},[150,363,364],{},[153,365,366,369,372],{},[156,367,368],{},"Threat",[156,370,371],{},"Mitigation",[156,373,374],{},"Status",[166,376,377,388,398,409,419,429,440,451],{},[153,378,379,382,385],{},[171,380,381],{},"LLM provider data breach",[171,383,384],{},"Data never stored by Working Mind; prompt content is between you and your provider",[171,386,387],{},"Mitigated",[153,389,390,393,396],{},[171,391,392],{},"MCP server code injection",[171,394,395],{},"Stdio-only; filtered env vars; no network listener",[171,397,387],{},[153,399,400,403,406],{},[171,401,402],{},"Agent executes destructive tool call",[171,404,405],{},"Confirmation gates on all non-MCP tools",[171,407,408],{},"Partial (MCP tools bypass gate)",[153,410,411,414,417],{},[171,412,413],{},"Malicious pack system prompt",[171,415,416],{},"User explicitly loads packs; prompt visible in TUI",[171,418,387],{},[153,420,421,424,427],{},[171,422,423],{},"Credential theft from disk",[171,425,426],{},"Keys in env vars, not persisted files; filtered from child processes",[171,428,387],{},[153,430,431,434,437],{},[171,432,433],{},"Supply chain attack on MCP packages",[171,435,436],{},"User installs and configures MCP servers explicitly",[171,438,439],{},"Accepted risk",[153,441,442,445,448],{},[171,443,444],{},"Knowledge graph corruption",[171,446,447],{},"SQLite with integrity check on open; corrupt files auto-backed-up and recreated",[171,449,450],{},"Mitigated (no undo)",[153,452,453,456,459],{},[171,454,455],{},"Session history exposure",[171,457,458],{},"Raw JSON on disk; user controls file permissions",[171,460,439],{},[86,462,464],{"id":463},"reporting-security-issues","Reporting Security Issues",[91,466,467,468,473],{},"If you find a security vulnerability, please report it privately to ",[469,470,472],"a",{"href":471},"mailto:security@elgap.dev","security@elgap.dev"," before filing a public issue. We will respond within 48 hours and work with you on responsible disclosure.",{"title":269,"searchDepth":475,"depth":476,"links":477},1,2,[478,479,480,486,489,490,491],{"id":88,"depth":476,"text":89},{"id":99,"depth":476,"text":100},{"id":132,"depth":476,"text":133,"children":481},[482,484,485],{"id":144,"depth":483,"text":145},3,{"id":218,"depth":483,"text":219},{"id":255,"depth":483,"text":256},{"id":278,"depth":476,"text":279,"children":487},[488],{"id":330,"depth":483,"text":331},{"id":345,"depth":476,"text":346},{"id":358,"depth":476,"text":359},{"id":463,"depth":476,"text":464},"Local-first architecture, stdio-only MCP, and why Working Mind is safer than cloud agents.","md",null,{"icon":496},"i-lucide-shield",true,{"title":75,"description":492},"DoyJOKin5G-pCFRfRSnSVWHnui4gzMV7bZ5LUIsI6A4",[501,494],{"title":69,"path":70,"stem":71,"description":502,"children":-1},"Builtin slash commands and how they work.",1778256993663]