Overview

A series of developer-oriented documents describing the security practices adopted in the Vocalance codebase.

Disclaimer

These documents are purely informational and do not constitute a legally binding security policy. Vocalance is provided as-is under the GNU General Public License v3, which explicitly disclaims all warranties.

Table of Contents

  • Releases: CI/CD pipeline steps from merge to immutable GitHub release, including linting, security scanning, unit tests, privacy guards, release packaging, and SHA-256 checksum generation.

  • Privacy: Network posture after installation, the two opt-in logging mechanisms and what each records, and the user data persisted across sessions.

  • Supply Chain Integrity: Python library sourcing and hash pinning via uv, the UV bootstrap integrity check, and the three-layer integrity control applied to AI models downloaded from Hugging Face.

  • Installation and Uninstallation: What setup.ps1 does step-by-step, the privilege model, where files land, and how cleanup.ps1 removes all application data.

  • Input Validation: Settings bounds enforcement, storage-layer ingestion validators, hotkey allowlist and single-combo enforcement, and alias control-character blocking.

  • Security Assumptions: Explicit threat-model boundaries: cryptographic controls in place, tampered-storage defences, and why audio-input spoofing is out of scope.