Cortex

The project demonstrates strong security practices for its local-first design: all database operations use parameterized queries to prevent SQL injection, database paths are constructed safely to prevent path traversal, and webview content in the VS Code extension is HTML-escaped to mitigate XSS. The MCP server and VS Code extension are designed to operate locally via stdio and do not expose network interfaces, significantly reducing the attack surface. The project has a clear SECURITY.md policy outlining supported versions, responsible disclosure, and user best practices regarding sensitive data. No 'eval' or hardcoded secrets were found.