FileMayor Security Policy.
This document describes how FileMayor protects user data and filesystems, the technical controls in place, our responsible disclosure process, and how to contact the security team.
- Effective
- May 2025
- Maintained by
- Chevza (Lehlohonolo Goodwill Nchefu)
- Contact
- hloninchefu@gmail.com
What this policy covers.
This policy applies to all FileMayor software: the desktop application (macOS, Windows, Linux), the CLI package published to npm, the MCP server exposed via filemayor mcp, and the filemayor.com web properties.
It does not cover third-party AI providers (OpenAI, Google Gemini, Anthropic) or payment processors. Those services are governed by their own security policies. Links to their trust pages are available on request.
What leaves your machine. What does not.
File contents
Never transmitted.File contents — text, images, binaries — are read locally for metadata extraction and are never sent to any remote service, including the AI provider.
File metadata
Sent to AI provider when you request AI assistance.Names, sizes, paths, extensions, and modification dates may be included in prompts to the configured AI provider. This data is subject to the AI provider's data retention policy.
License keys
Stored in OS keychain only.License keys are verified against our licensing API at activation. After activation, they are stored in the OS-native keychain and the local JWT is used for all subsequent feature checks.
Email address
Stored with Resend for product communications.If you sign up at filemayor.com, your email is stored with our email provider (Resend) and is used only for product updates and transactional messages. You may unsubscribe at any time.
Usage analytics
Aggregated, anonymous, opt-out.The web properties use Vercel Analytics for aggregated page-view data. No personal identifiers are collected. The desktop application does not transmit telemetry.
Six layers between intent and execution.
The Chevza Doctrine is the architectural principle that no single component both validates and executes filesystem operations. Every plan produced by the AI passes through six independent control layers before any file is touched. Each layer has a single defined responsibility and a distinct failure mode.
- L01
Jail
Scope containment.
- All paths are canonically resolved before any operation executes. Symlinks are followed to their real targets and re-validated against the declared workspace boundary.
- Any proposed operation outside the workspace — including indirect traversal through symlinks pointing to system directories — is refused before it reaches the execution engine.
- Protected paths include, but are not limited to: ~/Library/Keychains, /System, %WINDIR%, /etc, ~/.ssh, .gitconfig, .npmrc, and any $TMPDIR entry not explicitly declared in-scope by the user.
- L02
Vault
Credential isolation.
- License keys, AI-provider credentials, and webhook signing secrets are stored exclusively in the OS-native keychain (Apple Keychain on macOS, Windows Credential Manager, libsecret on Linux).
- No credential, key, or signing secret is written to disk in plaintext at any time. An encrypted on-disk fallback is used only when the OS keychain is unavailable; the application logs a visible warning when this fallback is active.
- Vault does not participate in the plan-execution pipeline. It only answers credential queries and is not accessible to the AI planning component.
- L03
Guardrail
Batch inspection.
- Every AI-generated plan is pattern-matched against a deny-list of destructive operation shapes before it reaches the plan validator.
- Mass-delete thresholds, recursive renames involving protected paths, ambiguous overwrites, and batches exceeding configured size limits are all blocked at this layer.
- When Guardrail blocks a plan, it emits a structured diagnostic identifying the rule that fired. The user can inspect this diagnostic and reformulate their request.
- L04
Halt
Crash-safe execution.
- The operation journal is treated as durable state. Each move writes its intent to the journal before executing and marks completion after. There is no window in which a partial operation is unrecoverable.
- On any unclean termination — OS signal, power loss, forced kill — the engine detects the incomplete journal entry on next start and rolls back automatically.
- Halt is implemented inside the execution pipeline, not as a UI affordance. All termination paths — user-initiated stops, SIGTERM, SIGKILL, and crashes — converge on the same recovery logic.
- L05
Architect
Semantic plan validation.
- The proposed plan is treated as a dependency graph. Operations that would scatter semantically cohesive files — photographs from the same session, documents from a single project — are rejected.
- Circular dependencies between operations are detected and the plan is refused.
- Plans that fail Architect validation never reach the execution engine. The validation result is reported to the user so the plan can be revised.
- L06
Security
Input hardening.
- Path traversal defenses are applied to all user-supplied strings: ../ sequences, URL-encoded variants, and null-byte injection attempts are rejected.
- AI API calls and filesystem write operations are rate-limited per session. Limits are configurable and enforced server-side when an API key is in use.
- All user-supplied input — workspace paths, natural-language prompts, configuration values — is validated before any downstream component processes it.
Runtime dependencies: 0 known vulnerabilities.
FileMayor ships four runtime dependencies to user machines: electron-updater, tar, yauzl, and framer-motion. At their pinned versions, none have published advisories in the GitHub Advisory Database or npm audit.
Build-time tooling (Electron, Vite, esbuild, TypeScript) runs only on the build machine and is not shipped to users. Advisories against build tools are monitored and patched as part of routine maintenance; they are not counted in the runtime metric.
This metric is verified on every release. You may reproduce it independently:
npm audit --productionIf a runtime advisory is published against a pinned dependency, this page and the homepage metric are updated on the same business day as the patched release.
How to report a vulnerability.
If you discover a security vulnerability in any FileMayor product, please report it privately before public disclosure. We are committed to responding promptly and crediting researchers who follow this process.
Email the security team
Send details to hloninchefu@gmail.com with the subject line [security]. Include a description, reproduction steps, and your assessment of severity.
Acknowledgement within 48 hours
We will confirm receipt and open a private tracking issue within two business days. If you do not receive a response, follow up to the same address.
Remediation timeline
Critical and high-severity vulnerabilities are targeted for a patch within 14 days. Medium and low severity within 60 days. We will keep you informed of progress.
Coordinated disclosure
We ask for a 90-day embargo for high-severity reports to allow a patched release to reach users before public disclosure. We will work with you on timing if that window needs adjustment.
Credit
Researchers who follow this process are credited in the release changelog by name or handle, at their preference.
Current status.
FileMayor has not undergone third-party security audit at the time of writing. A formal audit is on the product roadmap and this page will be updated when complete. The 128-test suite covers all six Doctrine layers extensively — including boundary conditions, recovery paths, and adversarial inputs.
The Chevza Doctrine is an architectural control, not a compliance certification.FileMayor does not currently hold SOC 2, ISO 27001, or similar certifications. If your organisation requires a certification before deployment, contact us to discuss timelines.
Questions about this policy?
For security issues, email hloninchefu@gmail.com with [security] in the subject. For general policy questions, use the same address without the subject prefix.