Skip to content

security

factory-droid[bot] edited this page Jul 5, 2026 · 1 revision

Security

QA Scribe's main trust boundaries are local storage, managed attachment files, rich HTML/editor content, and local AI provider process execution. The app does not store provider API keys.

Key source files

File Security role
crates/qa-scribe-core/src/attachments/mod.rs Sanitizes paths, stores under app-data, hashes files, verifies previews.
frontend/src/editor/editorHtml.ts Constrains rich editor HTML, links, and image sources.
crates/qa-scribe-core/src/generation/response.rs Repairs generated output and preserves managed image references.
src-tauri/src/commands/ai/streaming_exec.rs Runs provider CLIs with stdin/stdout handling, cancellation, and timeout behavior.
src-tauri/src/provider_command.rs Resolves provider executables.
src-tauri/src/commands/error.rs Normalizes errors sent to the UI.

Local data and privacy

README.md states that SQLite and managed attachments are local. AI generation sends selected Generation Context text and attachment metadata to the chosen local provider CLI, not raw attachment binaries. Provider API keys are managed by the provider CLI outside QA Scribe.

Rich content safety

The frontend uses frontend/src/editor/editorHtml.ts and generated constants from src-tauri/src/specta_bindings.rs to keep editor HTML constrained. Managed images use the QA Scribe attachment protocol rather than arbitrary local file paths.

Process execution safety

Provider execution lives under src-tauri/src/commands/ai. The implementation tracks child processes in src-tauri/src/jobs.rs, kills children on app exit in src-tauri/src/main.rs, and has cancellation/watchdog tests under src-tauri/src/commands/ai/streaming_exec/tests.rs.

For implementation details, see Managed attachments, Rich record editing, and Generation jobs.

Clone this wiki locally