vyctor 0.1.0

A fast CLI tool for semantic file search using vector embeddings
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability in Vyctor, please report it responsibly:

1. **Do not** open a public GitHub issue for security vulnerabilities
2. Email the maintainer directly at [hej@antonmagnusson.se] with:
   - A description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Any suggested fixes (optional)


## Security Considerations

### API Keys

Vyctor supports external embedding providers (OpenAI, Voyage AI) that require API keys:

- **Never commit API keys** to version control
- Store API keys in environment variables or `.env` files
- The `.env` file is excluded from indexing by default
- API keys are only read from environment variables, never stored in the vyctor database

### Configuration

- `vyctor.config.toml` is designed to be committed to version control
- It contains no secrets—only references to environment variable names
- The `.vyctor/` directory (containing the database) can be gitignored

### Local Data Storage

- Vyctor stores file content chunks in a local DuckDB database (`.vyctor/index.duckdb`)
- The database is stored locally and is not transmitted anywhere
- When using external embedding providers, file content is sent to their APIs

### File Access

- Vyctor only reads files matching your configured include patterns
- Sensitive files can be excluded using the `exclude` patterns in configuration
- By default, common sensitive patterns are excluded:
  - `.env` and `.env.*` files
  - `secrets/` directories
  - Various lock files

### Daemon Process

- The watch daemon runs as a local process
- It only monitors files in the configured project directory
- PID and log files are stored in `.vyctor/`

## Best Practices

1. **Review your include/exclude patterns** before running `vyctor init`
2. **Use local embeddings** for sensitive codebases (no data leaves your machine)
3. **Keep the `.vyctor/` directory in `.gitignore`** (added automatically by `vyctor init`)
4. **Regularly update** to get security fixes

## Third-Party Dependencies

Vyctor uses several third-party Rust crates. We monitor these for security advisories and update promptly when issues are discovered. You can audit dependencies using:

```bash
cargo audit
```