hypertopos runs locally. No network services, no auth layer, no multi-tenancy.

• Pickle files — chain cache (.cache/chains_*.pkl) uses pickle. Don't load cache files from untrusted sources.
• Sphere paths — HyperSphere.open(path) reads from the local filesystem. Don't point it at user-controlled paths without validation.
• MCP server — communicates over stdio. Not designed for network exposure.
• SQL injection protection — lance_sql_agg validates user-controlled SQL inputs. Filter values are escaped (doubles single quotes, rejects backslash and ASCII control chars). Column identifiers are validated against ^[A-Za-z_][A-Za-z0-9_]*$.

If you find a security issue: GitHub private vulnerability reporting or email contact@hypertopos.com.