Security

Security in Gestura.app is about clear trust boundaries: what stays local, what can be sent to configured providers, what tools are allowed to do, and how memory or reflection features behave when they are enabled.

Local Processing

By default, voice processing happens locally on your device. If you configure cloud speech or model providers, only the parts of the workflow routed through those providers leave your local environment.

Network & Secret Handling

Remote provider traffic should use standard encrypted transport such as TLS. API keys and other secrets should be stored using secure system facilities or environment variables when supported, rather than being treated as ordinary reusable prompt content.

MCP Security

MCP expands what Gestura can do, so each MCP server should be treated as part of your trust boundary. Review what tools are connected, what they can access, and whether the current permission level is appropriate before allowing broad automation.

Knowledge & Memory Safety

Gestura separates live session context, retrieved knowledge, and durable memory so unrelated material does not need to be pushed into every request. That design helps reduce unnecessary context exposure, but users should still review what knowledge sources and providers are active for sensitive work.

Reflection Safety

When ERL-inspired reflection is enabled, it is intended to improve weak turns through structured correction and text-only retry behavior rather than blindly replaying tool side effects. This reduces risk compared with naive automatic retries, but reflection should still be treated as an advanced feature and configured carefully.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly through our GitHub security advisory system or contact us directly through our Discord community.

Security Updates

We regularly release security updates and encourage users to keep their installations up to date. Critical security patches are prioritized and released as soon as possible.

Open Source Transparency

As an open source project, our security implementations are transparent and can be audited by the community. We welcome security reviews and contributions from security researchers.

Best Practices

  • Keep Gestura.app updated to the latest version
  • Use strong authentication for MCP server and provider connections
  • Prefer the most restrictive practical permission level
  • Review active knowledge, provider, and MCP settings before sensitive work
  • Store secrets in secure keychains or environment variables when possible
  • Monitor system logs for unusual activity
  • Follow the principle of least privilege for agent and tool capabilities

Contact

For security-related questions or to report vulnerabilities, please contact us through our GitHub repository or Discord community.