Security

Zero bytes leave your machine.* By design, by audit, by license.

Local-first is a security stance, not a feature flag. Nora's hot path is AST-audited at every install and re-verified on --on-prem. The entire engine is source-available under Elastic License 2.0.

* Free/Lite tier. Pro+ opts in to BYO-S3 sync and the hosted MCP relay at mcp.kernora.ai; on-prem mode (any tier) locks all egress.

EFFECTIVE · APRIL 22, 2026 · NORA v2.4.0

The short version. Your sessions, your factbook, your API keys never reach Kernora servers. The zero-network invariant is verifiable via kernora network-check — an AST audit that scans every hot-path module for networking primitives outside the explicit NETWORK_ALLOWLIST and exits 1 if any leak is found. It runs automatically during kernora install --on-prem and on demand any time. The pre-commit PII guardrail blocks 15 secret patterns from landing in .nora/. --on-prem additionally locks the LLM provider to Ollama only and sets telemetry.enabled = false. Every artifact (factbook, hooks, audit log) lives in your repo or your ~/.kernora/ cache. We host nothing.

Pillars

1. Zero-network invariant

kernora network-check walks the AST of every module on the hot path. If it finds socket, requests, httpx, or any networking primitive outside the explicit NETWORK_ALLOWLIST, it exits 1. Re-runs on every kernora install --on-prem. Run on demand any time.

2. Pre-commit PII guardrail

15-rule regex catalog: 8 critical (AWS, OpenAI, Anthropic, Google, Stripe, Slack, GitHub PAT, OpenSSH PEM), 3 high (bearer tokens, JWTs, URL-embedded creds), 4 medium (SSN, credit-card, generic emails). Runs as a pre-commit hook before anything lands in .nora/. Exit 1 on critical/high. Self-audited zero-network.

3. Append-only agent_safety log

Date-rotated JSONL at ~/.kernora/logs/agent_safety/{YYYY-MM-DD}.jsonl records every PII block, prompt-injection block, and path-allowlist denial. Visible in the dashboard at /audit-log. The format is plain JSONL — replayable, greppable, exportable for compliance review.

4. Right-to-be-forgotten + retention TTL

kernora purge --project <name> (or --all) archives + removes a project's data; --no-archive skips the archive; --yes non-interactive. Per-table TTL via [retention] auto-purges short-lived intermediate artifacts (clean signals, reasoning traces) at 90 days by default.

Threat model

Nora is designed against three attacker shapes. We name them so you can verify your posture against them.

T1. Network exfiltration of session content

Mitigation: Zero-network invariant (AST-audited via kernora network-check). The hot path — capture, analyze, promote, emit — has no permitted network call outside the explicit NETWORK_ALLOWLIST. Every emit is local I/O to ~/.kernora/ or <your-project>/.nora/. The only egress points are: (a) the LLM call from analyzer.py, which you BYOK and route to your chosen provider; (b) git push, which you trigger explicitly. Cost + token usage of (a) is logged in the kernora_usage table; (b) is in your normal git history.

On-prem hardening: kernora install --on-prem locks LLM provider to Ollama (local) and sets telemetry.enabled = false, eliminating egress (a) entirely.

T2. Secrets leaking into the factbook

Mitigation: Pre-commit PII guardrail. The 15 rules cover AWS / OpenAI / Anthropic / Google / Stripe / Slack key formats, GitHub PATs, OpenSSH PEM private keys, bearer tokens, JWTs, URL-embedded credentials, SSNs, credit cards, and email addresses. The hook runs before markdown lands in .nora/. False positives can be allowlisted with the kernora-pii-allowlist marker.

Run on demand: kernora pii-scan <path>. Exit 1 on critical/high.

T3. Tampering or impersonation of the factbook

Mitigation: Git is the audit trail. Every fact is a markdown file under version control with author + timestamp + diff. Reviewers can see what changed, who promoted it, and through which agent. There is a single canonical promotion gate — no side paths that could allow unsigned or unreviewed facts to enter the factbook.

T4. Cross-team data leak in multi-tenant Free installs

Mitigation: Every dashboard query against team-scoped tables enforces a team boundary at the data layer, appending AND team_id = ? to the WHERE clause when a team is configured (via --team-scope at daemon start or KERNORA_TEAM_ID env var). Cross-team exports are structurally prevented — the team boundary is applied at query construction, not filtered after the fact. The enforcement is covered by an automated test suite that includes spoofed-query-param attacks returning zero rows. Personal-mode installs (default) skip the team filter entirely — there is no team boundary to enforce.

Architecture posture

ComponentWhere it runsNetwork?
Stop hookYour shell / IDENo
Daemon (daemon.py)Your machine, unix socketNo
Analyzer (analyzer.py)Your machineOne LLM call (BYOK; Ollama in --on-prem)
P2 agents (analyzer pipeline)Your machineNo (sentence-transformers run locally)
P3 SynthesizerYour machineNo
Promotion gate (db.promote_patterns)Your machine, ~/.kernora/echo.dbNo
Factbook (.nora/*.md)Your repo, git-trackedOnly on git push
DashboardYour machine, localhost:2742No (server-side HTML)
MCP serverYour machine, stdio to your IDENo
Team dashboard (optional)Your own GitHub org via Action + PagesYes, but in your org's compute

Compliance & deployment

--on-prem mode

For finance, health, and defense:

SSO / SAML / SCIM

Available on the Enterprise plan for the team dashboard repo (which lives in your GitHub org). Solo Mode 1 has no auth surface to federate — it runs in your terminal under your local user.

Audit log format

Append-only JSONL, date-rotated daily at ~/.kernora/logs/agent_safety/{YYYY-MM-DD}.jsonl. Each entry includes the ISO-8601 timestamp, the agent that emitted the event, the event type (pii_block, prompt_injection_block, path_denied, etc.), and a short detail field. Visible at http://localhost:2742/audit-log (last 50 events of the current day). The format is plain JSONL — replayable, greppable, exportable for compliance review. Never overwritten by Nora itself.

Retention & right-to-be-forgotten

~/.kernora/config.toml:

On-demand purge: kernora purge --project <name> (one project) or kernora purge --all (everything). Add --no-archive to skip the pre-purge archive, --yes to skip the interactive confirm, --dry-run to preview. Every purge writes a line to the agent_safety log.

Source-available, auditable

Nora is licensed under Elastic License 2.0. You can read every line of code, fork it, embed the SDK in your own products, and audit the hot path yourself. The constraint: you can't resell Nora as a hosted service competing with Kernora. Internal commercial use is unrestricted.

Source: github.com/kernora-ai/nora. The README in that repo carries the architecture overview, install command, and the network-egress matrix above. Enterprise deployments (SAML / SCIM / audit log retention) are gated by contract — email hello@kernora.ai for the readiness checklist.

Reporting a vulnerability

If you find a security issue, please report it privately before public disclosure. We aim to acknowledge within 48 hours and ship a fix or mitigation within 14 days for critical issues.

Contact

Security disclosures (preferred — encrypted): hello@kernora.ai

General security questions: GitHub Issues with the security-question label (do not include exploit details).

Compliance and procurement (--on-prem, SSO, SOC2): hello@kernora.ai