turbovault

The project demonstrates comprehensive security features including explicit path traversal protection (using `path_trav` crate), type-safe deserialization to prevent injection, atomic file writes for data integrity, hash-based conflict detection for edits, and configurable file size limits to mitigate DoS attacks. Crucially, it avoids shell execution, eliminating command injection risks. An external `mcp-scanner` audit explicitly marks all 44 MCP tools as 'Safe: Yes'. While optional network transports (HTTP, WebSocket, TCP) introduce potential attack surfaces if enabled, the default mode for AI agent integration is `stdio`, which is inherently safer. The `docker-compose.yml` specifies running as a non-root `obsidian` user, adhering to the principle of least privilege.