Overview
A series of developer-oriented documents describing the security practices adopted in the Vocalance codebase.
Disclaimer
These documents are purely informational and do not constitute a legally binding security policy. Vocalance is provided as-is under the GNU General Public License v3, which explicitly disclaims all warranties.
Table of Contents
Releases: CI/CD pipeline steps from merge to immutable GitHub release, including linting, security scanning, unit tests, privacy guards, release packaging, and SHA-256 checksum generation.
Privacy: Network posture after installation, the two opt-in logging mechanisms and what each records, and the user data persisted across sessions.
Supply Chain Integrity: Python library sourcing and hash pinning via
uv, the UV bootstrap integrity check, and the three-layer integrity control applied to AI models downloaded from Hugging Face.Installation and Uninstallation: What
setup.ps1does step-by-step, the privilege model, where files land, and howcleanup.ps1removes all application data.Input Validation: Settings bounds enforcement, storage-layer ingestion validators, hotkey allowlist and single-combo enforcement, and alias control-character blocking.
Security Assumptions: Explicit threat-model boundaries: cryptographic controls in place, tampered-storage defences, and why audio-input spoofing is out of scope.