Security and shared-deployment features. All opt-in; with none of the new
environment variables or flags set, behavior is unchanged — local, keyless,
zero-config stays the default.
Authentication
- API key comparison now uses a constant-time comparison (
hmac.compare_digest)
instead of!=, removing a response-timing side channel.VECTR_API_KEY
protects both the REST/v1routes and the/mcpendpoint;/v1/health
stays open for liveness probes; the key is never echoed in responses or logs. - New
vectr keycommand prints a fresh high-entropy key (stdout) with usage
guidance (stderr); vectr never persists it. Generated keys never start with
-(a leading dash made--api-key <key>parse as a flag and fail); the
usage guidance shows the always-safe--api-key=<key>form. - When
VECTR_API_KEYis set at start time, the editor MCP configs vectr
writes (.mcp.json,.cursor/mcp.json,.vscode/mcp.json) include the
X-Api-Keyheader so the editor keeps reaching its own authenticated daemon.
These files then hold the key in plaintext; the CLI and docs warn to treat
them as secrets and keep them out of shared version control.
Team mode (shared central instance)
vectr start --host <addr>selects the daemon bind address (default
127.0.0.1). A non-loopback bind refuses to start unlessVECTR_API_KEYis
set — a network-reachable index is never served unauthenticated.- New
vectr connect --url <url> [--api-key <key>] [--label <name>]configures
the local editor to use a remote vectr instance: writes the MCP configs with
the auth header (and optionalX-Vectr-Clientattribution label) and the
guidance block, spawning no local daemon. Working memory on the central
instance is shared: a note one connected agent stores, every other can
recall. Search results reference the server's indexed checkout. - The client label attributes notes (author) and audit-log lines.
- Notes DB connections set an SQLite busy timeout so concurrent writes from
multiple clients wait for the lock instead of failing.
Encryption at rest
VECTR_ENCRYPT_KEYnow also encrypts note titles (previously plaintext, and
derived from the first content line — leaking note content) and snapshot
payloads (previously plaintext JSON embedding full decrypted note text).
Reads are tolerant: pre-existing plaintext rows keep working.- The passphrase can be stored in the OS keychain (service
vectr, username
encrypt-key) instead of the environment; the env var wins when both exist. - New
VECTR_ENCRYPT_DISABLE_NOTE_VECTORS=1omits note embedding vectors (a
lossy plaintext projection of note text) for the strictest posture; recall
falls back to exact-text matching. - Honest boundary, unchanged: the code index (chunk text + vectors) is NOT
encrypted — documented in docs/data-handling.md and the README.
Data handling and retention
- The audit log is now strictly opt-in:
VECTR_AUDIT_LOGunset means nothing
is recorded (previously it silently defaulted to~/.vectr/audit.log,
recording every recall query undisclosed). When enabled it also records
INDEX and SEARCH events, and rotating-handler initialization is now
race-free under concurrent writes. - Purge is now complete:
vectr_forget(all=true)/POST /v1/forget/
/v1/memory/clearalso delete the workspace's snapshots (whose payloads
embed note contents), andvectr forget --alladditionally clears snapshots
and note embedding vectors across all workspaces. Previously all of these
deleted only the notes table. VECTR_NOTES_TTL_DAYS(existing startup TTL purge) is now documented and
covered by tests; unset = notes are kept until deleted.- New data-handling policy: docs/data-handling.md — what vectr stores, where,
plaintext vs encrypted, retention, deletion, team-mode caveats.
Filesystem
~/.cache/vectr/and~/.vectr/(and per-workspace subdirectories) are
created owner-only (0700) on POSIX systems; existing directories are
tightened at startup.