Security Compliance

[Vedant-Ratn-Nema]

Hey is this SOC2 or HIPAA compliant?

[roman-rr]

If you're evaluating ruflo for security compliance, here are the findings from our independent audit:

Critical security gaps:

• verifySignature() in RaftConsensus.js unconditionally returns true — comment says "In real implementation, verify with sender's public key"
• hive-mind spawn --claude uses --dangerously-skip-permissions flag, disabling all Claude safety checks
• No encryption on state files: graph-state.json (100 MB), auto-memory-store.json (5.9 MB), session data — all plaintext on disk
• The security audit in issue Security Audit Summary: Multiple Critical Concerns #1375 was closed by the maintainer without resolving the concerns

Additionally:

• ~290 of 300+ tools are stubs — they return fake success responses, which could mask actual failures in a compliance-sensitive workflow
• Token Optimizer claims "30-50% savings" but metrics are hardcoded in source (+= 100 per cache hit)
• Issue Security Audit Summary: Multiple Critical Concerns #1375 documented prompt injection via tool descriptions and obfuscated preinstall scripts

For compliance purposes: the only verified-working components are memory/HNSW search, embeddings, terminal execute, and session persistence.

Full audit: Independent Audit