Skip to content

[codex] Harden public model cache handling #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jvogan merged 1 commit into from
May 19, 2026
Merged

[codex] Harden public model cache handling #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .gitleaks.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
[extend]
useDefault = true

[[allowlists]]
description = "Swift MLX module metadata labels are not secrets."
targetRules = ["generic-api-key"]
condition = "AND"
paths = [
'''(^|/)Packages/mlx-audio-swift-valar/.+\.swift$''',
]
regexTarget = "match"
regexes = [
'''key:\s*"[A-Za-z0-9_.-]+"''',
]

[[allowlists]]
description = "Voice protection tests declare a fixture environment variable name, not a secret value."
targetRules = ["generic-api-key"]
condition = "AND"
paths = [
'''(^|/)Packages/ValarPersistence/Tests/ValarPersistenceTests/VoiceLibraryProtectionTests\.swift$''',
]
regexTarget = "match"
regexes = [
'''testKeyEnvironmentVariable = "VALARTTS_TEST_VOICE_KEY_B64"''',
]

[[allowlists]]
description = "Public-audit rule patterns intentionally include private-key sentinels."
targetRules = ["private-key"]
paths = [
'''(^|/)tools/public_repo_rules\.sh$''',
]
7 changes: 4 additions & 3 deletions PRIVACY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Valar is a local speech stack for macOS and Apple Silicon. This document describ
- model downloads happen only when the user explicitly installs a model
- the daemon listens on loopback by default
- Valar does not install background services for you by default
- benchmark, validation, and generated audio files are written only where you choose or under local temporary directories used by the scripts

## Local Data

Expand All @@ -19,15 +20,15 @@ Valar stores local state on your Mac for things like:
- project or document state
- generated outputs that you choose to write to disk

Saved voice material and other local state remain on your machine unless you choose to export or share those files yourself.
Saved voice material and other local state remain on your machine unless you choose to export or share those files yourself. Local files are protected by your macOS account and filesystem settings; do not assume generated outputs or model packs are encrypted unless you have enabled disk encryption or another explicit protection layer.

If you use the MCP bridge in `bridge/`, you may choose to read or write local media under `~/Library/Application Support/Valar/bridge-storage`. The public bridge does not persist channel identifiers, sender metadata, or transcript/reply sidecars by default. Override this location with `VALARTTS_BRIDGE_STORAGE_ROOT` if needed.

## Network Access

The normal workflow uses the network only for model downloads from upstream hosts such as Hugging Face. Valar does not require a cloud inference backend.
The normal workflow uses the network only for dependency resolution and model downloads from upstream hosts such as Hugging Face. Valar does not require a cloud inference backend.

The public daemon binds to `127.0.0.1:8787` only. It is loopback-only in this repo and is not intended to be exposed as a network service.
The public daemon binds to `127.0.0.1:8787` by default. Do not expose it on a routable interface unless you add your own authentication, authorization, and network controls.

## Model Licenses

Expand Down
Loading