PrivateRAG v0 is unaudited software. It is not externally audited and does not provide production-grade cryptographic assurance.
The only supported private retrieval profile for v0 is
simplepir-rs-v0-1000-1k over simplepir-lwe-v0, with
security_status = supported-v0-unaudited.
That profile is supported only within this documented envelope:
- at most 1,000 records
- exactly 1,024-byte PIR records
- exactly 384-dimensional finite
f32local index rows - fixed
top_k=2 - fixed
retrieval_count=4 - public cache <= 2.5 MiB
- full bundle <= 3.5 MiB
Unsupported shapes are expected to fail closed. A bypass that silently accepts a shape outside this envelope is security-relevant.
The older simplepir-rs-experimental-v0 profile is compatibility/development
only. The toy-development-only-v0 profile is development/test only. Neither
is a supported private-retrieval profile.
PrivateRAG v0 does not claim:
- external cryptographic audit
- production-grade cryptographic assurance
- malicious-server security
- compromised-client security
- traffic-analysis resistance
- side-channel-free retrieval
- arbitrary-scale retrieval
- arbitrary
top_korretrieval_countsupport - authentication, authorization, tenant isolation, TLS termination, or log controls
- authenticated bundle provenance
Current bundles are unsigned. Checksums detect file drift after a trusted
deployment obtains checksums.json; they do not authenticate the bundle
producer or protect against a party that can replace both files and checksums.
For sensitive reports, use GitHub private vulnerability reporting for this repository if it is enabled.
If private reporting is not available, open a public issue that asks for a private contact path, but do not include exploit details, private data, tokens, or unreleased vulnerability details in the public issue.
For non-sensitive bugs, documentation issues, or questions about documented limitations, a normal GitHub issue is appropriate.
Please include, when safe:
- affected commit or version
- affected component: bundle format, packer, server, CLI, Python SDK, adapter, benchmark tooling, or docs
- expected behavior and observed behavior
- whether the issue can expose query text, query embeddings, selected chunk IDs, selected internal record IDs, decoded chunk text, server-only bundle files, or unsupported profile shapes
- a minimal reproduction that does not include private corpus data or secrets
Do not post sensitive exploit details, private corpora, API keys, credentials, tokens, generated private bundles, or deployment logs in public issues.
If you are unsure whether a report is sensitive, treat it as sensitive first.