Security Whitepaper
Version 1.0 | January 2026
Meno Studio is a desktop application for visual website building, operating on a local-first architecture. This document provides a comprehensive overview of our security practices, architecture, and policies.
1. Executive Summary
Meno Studio is a desktop application for visual website building, operating on a local-first architecture. The application was designed with user data privacy and security in mind.
Key Security Features
Architecture
Desktop application (Electron) - no cloud backend
Data Storage
Locally on user's machine (~/Documents/Meno/)
Credential Encryption
OS-level encryption (macOS Keychain, Windows DPAPI)
Sandbox
Renderer process isolated from operating system
Automated Scanning
Semgrep, npm audit, Dependabot on every commit
Code Signing
macOS: Apple notarization
2. Solution Architecture
System Components
Main Process
Main Node.js process handling system operations
Technology: Node.js 20
Renderer Process
Sandboxed Chromium process for UI
Technology: React 18, Vite
Preload Script
Secure bridge between main and renderer
Technology: contextBridge API
Dev Server
Local development server (only during editing)
Technology: Bun 1.3
Process Separation
Main Process (Node.js)
-
Full system access
-
Encryption operations
-
File I/O
Renderer Process (Chromium)
-
No Node.js access
-
Sandbox enforced
-
CSP enforced
Communication between processes happens through contextBridge with granular API exposure.
3. Network Communication and Ports
Locally Used Ports
3000-3999
Local editor project preview
5173
Static generated project preview
Outbound Connections
api.github.com
GitHub API (repos, auth, git)
Port 443 | HTTPS | Login, git push/pull
github.com
GitHub OAuth Device Flow
Port 443 | HTTPS | Login
registry.npmjs.org
npm package lookup
Port 443 | HTTPS | Viewing dependencies
api.anthropic.com
Claude AI API
Port 443 | HTTPS | When user uses AI
Content Security Policy
Key restrictions enforced in production:
-
No unsafe-eval in production
-
Scripts only from 'self'
-
External connections limited to whitelist
4. Data Flows
Data Stored Locally
Projects
~/Documents/Meno/
Page and component JSON files | Not encrypted (working files)
GitHub Token
userData/github-token.enc
GitHub OAuth token | Encrypted (safeStorage)
User Info
userData/github-user.json
Login, avatar, email (display only) | Not encrypted
AI API Key
OS Keychain
Anthropic API key | Encrypted (OS-level)
Data NOT Transmitted Anywhere
-
Project content (pages, components, code)
-
Local file paths
-
Edit history
-
Application logs
-
Feature usage metrics
-
Keystrokes / interactions
Data Transmitted to External Services
GitHub
Token, commits, files (git push)
Required for git ops
Anthropic
Prompt + file context (AI)
Requires API key
5. Security Mechanisms
Electron Security
contextIsolation: true
Isolates renderer from Node.js APIs
nodeIntegration: false
Blocks direct Node.js access
sandbox: true
Restricts renderer process permissions
webviewTag: true (with CSP)
Controlled webview embedding
Credential Encryption
GitHub tokens are encrypted using Electron's safeStorage API, which leverages OS-level encryption:
-
macOS: Keychain Services
-
Windows: DPAPI (Data Protection API)
Path Traversal Protection
Three-layer path validation protects against directory traversal attacks:
-
Path normalization
-
Check if within allowed directory
-
Validate project is in ~/Documents/Meno
Rate Limiting
AI Chat
30 requests / 1 minute
Tool Approvals
10 attempts / 1 minute
Generate Commit
20 requests / 1 minute
AI Init
5 requests / 1 minute
Input Validation
-
Zod schemas — All JSON structures
-
File size limit — Max 5MB for file reads
-
Image size limit — Max 2MB for images
-
Filename validation — Disallowed characters: <>:\"/\\|?*
-
Binary detection — Exclude binary files from search
6. Security Testing
Automated Scanning (CI/CD)
Semgrep
SAST, secrets detection
Push, PR, weekly
npm audit
Dependency vulnerabilities
Push, PR | --audit-level=high
Dependabot
Automated updates
Weekly PRs with updates
Semgrep Rules
-
p/javascript
-
p/typescript
-
p/security-audit
-
p/secrets
-
p/owasp-top-ten
Vulnerability Status
Critical
0 known (CI checks on every PR)
High
0 known (CI checks on every PR)
Note: Meno has not undergone a formal external penetration test. Automated scanning includes static code analysis and dependency auditing. Upon enterprise customer request, we can commission an external pentest.
7. Cloud Infrastructure
Local-First Architecture
Meno Studio does NOT have a cloud backend. The application runs entirely locally on the user's machine.
What We Don't Have
-
No application servers
-
No cloud database for projects
-
No cloud storage for user files
-
No API gateway
-
No load balancer
-
No CDN for user assets
What We Do Have
-
All project data stored locally
-
Credentials encrypted at OS level
-
No project data transmission to cloud
External Services (Third-Party)
GitHub
Git hosting, OAuth
Provider: Microsoft | Location: US/EU | Required for git
Anthropic
AI API
Provider: Anthropic | Location: US | Opt-in
npm Registry
Package info
Provider: GitHub/npm | Location: US | Read only
8. Integrations
Currently Supported Integrations
GitHub
Full support
OAuth, repos, git push/pull, branches
Git (generic)
Partial support
Local git operations, any remote via CLI
Claude AI
Full support
AI assistant in editor
Figma (MCP)
Experimental
Design import via Model Context Protocol
Extensibility
Meno uses Model Context Protocol (MCP) for integration with external tools. Currently supported: Figma MCP Server for design import. The architecture allows adding new MCP integrations without changes to the core application.
9. SSO and Authentication
Current Authentication Model
GitHub OAuth 2.0 (Device Flow):
-
1. User clicks "Login with GitHub"
-
2. App sends request to github.com/login/device/code
-
3. GitHub returns device_code and user_code
-
4. User goes to github.com/login/device
-
5. User enters user_code and authorizes
-
6. App polls /login/oauth/access_token
-
7. After authorization, receives access_token
-
8. Token encrypted and saved locally (safeStorage)
OAuth Permissions (Scope)
-
repo — Full access to private repositories
-
user:email — Access to user's email address
-
read:org — Read organization membership
SSO Enterprise Support
GitHub OAuth is the only login method. GitHub OAuth provides SSO for Meno Studio:
Organizations using GitHub Enterprise can enforce SAML SSO authentication at the GitHub level. Since Meno exclusively uses GitHub OAuth for login, it automatically inherits these security controls:
-
User must first authenticate through corporate IdP (Okta, Azure AD, etc.) to access GitHub
-
Only after passing SSO can they authorize Meno
-
Organization can restrict access only to members with enforced SSO
This means Meno supports SSO indirectly through GitHub Enterprise—without requiring native SAML/OIDC integration in the application itself.
10. Security Policies
Update Management
Latest
Full support (features + security)
Previous
Security fixes only
Older
No support—please update
Code Signing
macOS
-
Certificate: Developer ID Application
-
Team ID: V48BWM8PP8
-
Hardened Runtime: Enabled
-
Notarization: Apple Notary Service
Windows
Authenticode: Planned
Auto-Updates
-
Updates downloaded from GitHub Releases
-
Update packages are digitally signed
-
User receives notification about new version
-
Installation requires manual confirmation
Dependency Management Policy
-
Dependabot — automated PRs with updates (weekly)
-
npm audit — blocks merge on High/Critical
-
Lockfile — package-lock.json committed to repo
-
Review — every dependency change requires code review
11. Compliance and Certifications
Current Status
GDPR
No
Local data
SOC 2
No
No cloud infrastructure
ISO 27001
No
Not applicable (local-first)
HIPAA
No
Not applicable
PCI DSS
No
We don't process payments
GDPR Considerations
-
Data stored locally — user has full control
-
Right to deletion — delete Meno folder
-
Analytics (Supabase) — minimal, opt-out possible
-
Data processing agreement — available upon request
12. Contact and Vulnerability Reporting
Reporting Vulnerabilities
Email: team@meno.so
Response time: 48 hours
What to include in your report:
-
Description of vulnerability
-
Steps to reproduce
-
Potential impact
-
Contact information (optional)
We ask that you do not publicly disclose vulnerabilities before our response and give us time to fix before disclosure.
Questions about security?
Reach out to: team@meno.so