Security at Meno

We take security seriously. From secure credential storage to code signing, we've built Meno with multiple layers of protection to keep your work safe.

Whitepapers

Local-First Architecture

Your Data, Your Machine

Meno is a desktop application designed with privacy at its core. Unlike cloud-based builders:

  • Projects stored locally — All your files live in ~/Documents/Meno/ on your computer

  • No cloud backend — We don't host your projects or sync them to our servers

  • Git-native — Push to GitHub when you're ready, on your terms

This means your source code, designs, and content never touch our infrastructure unless you explicitly choose to share them.

Credential Protection

Secure Token Storage

Your GitHub credentials are protected using your operating system's secure storage:

  • macOS: Encrypted via Keychain Services

  • Windows: Protected with DPAPI (Data Protection API)

Tokens are decrypted only when needed and cached in memory to minimize disk access. We never store passwords—authentication happens directly through GitHub's OAuth flow.

Application Security

Sandboxed & Isolated

Meno runs in a hardened Electron environment with multiple security layers:

Context Isolation

Renderer process completely isolated from Node.js APIs

Sandbox Mode

Restricts process capabilities at the OS level

Content Security Policy

Prevents XSS and injection attacks

No Remote Code

All code runs locally—no eval() or remote scripts

External links always open in your default browser, never inside the application.

Code Security

Continuous Scanning

Our codebase undergoes automated security checks on every commit:

  • Semgrep — Static analysis for vulnerabilities and OWASP patterns

  • npm audit — Dependency vulnerability scanning

  • Dependabot — Weekly automated dependency updates

  • Secrets detection — Prevents accidental credential commits

Code Signing

Verified Downloads

All Meno releases are cryptographically signed to ensure authenticity:

  • macOS: Notarized by Apple with hardened runtime

  • Auto-updates: Delivered via signed GitHub Releases

You can verify you're running genuine Meno software, not a tampered copy.

Third-Party Integrations

Meno connects to external services only when you use specific features:

GitHub

Git operations, OAuth

When you sign in or push/pull

npm Registry

Package lookups

When installing dependencies

Claude API

AI assistance

Use AI features with your API key

We don't proxy your connections—you communicate directly with these services.

Data We Collect

Minimal & Transparent

We collect minimal analytics to understand our user base:

  • GitHub username and email

  • First and last seen timestamps

We never collect:

  • Your project files or code

  • Usage patterns or feature analytics

  • Keystroke or interaction data

  • File paths or project metadata

  • AI conversation history

Vulnerability Reporting

Report Security Issues

Found a vulnerability? We take security reports seriously.

Email: security@meno.so

What to include:

  • Description of the vulnerability

  • Steps to reproduce

  • Potential impact

  • Your contact information (optional)

Our commitment:

  • Acknowledge receipt within 48 hours

  • Provide status updates as we investigate

Please don't disclose vulnerabilities publicly until we've had a chance to address them.

Support Policy

Version support

Latest release

Full support (features + security)

Previous release

Security fixes only

Older versions

No support—please update

We recommend always running the latest version to benefit from security improvements.

Questions about security?

Reach out to: security@meno.so