OculiX runs entirely on your machine. Nothing phones home, nothing sends telemetry, no analytics, no auto-update calls. This page documents the project’s security posture for organizations that need to assess OculiX before deployment in regulated environments.
Vulnerability disclosure policy
For anything sensitive — auth bypass, RCE, credential leakage, supply chain — do not open a public issue. Use GitHub’s private vulnerability reporting.
Response timeline:
Full policy in SECURITY.md.
MIT license, forever
The OculiX core is MIT-licensed. The license is irrevocable. There’s no version of OculiX where the core becomes proprietary. Every line that ships is in the public repository, auditable, forkable, signable by you.
MCP audit journal
The optional MCP server module writes an Ed25519-signed, SHA-256-chained JSONL audit journal — designed for environments where every automated action needs to be tamper-evident end to end. Each entry references the hash of the previous one, so retroactive modification of any record invalidates all subsequent signatures.
Most often cited by users in defense, banking, healthcare.
We’re in the middle of a security hardening pass. These artefacts are coming in the v3.0.x / v3.1.x cycle and will appear here as soon as they ship.
| Standard | Artefact | Status |
|---|---|---|
 | SBOM attached to each release |  |
 | Continuous CVE scan in CI | |
 | Public security score, standard criteria | |
 | Self-attested standard practices coverage | |
 | Application security verification standard mapping |  |
Each artefact will be linked here once published, with a direct URL you can reference in your procurement file.
These aren’t features we promote — they’re consequences of how OculiX is built.
No cloud dependency
The IDE, the API library, the script runner all work fully offline. The only network access is what your script explicitly requests.
No telemetry
We don’t collect usage data, error reports, performance metrics, or anything else. If you opt into update checks, OculiX queries GitHub Releases for a new version — that’s the only outbound call, and it’s opt-in.
No auto-update
Updates happen when you explicitly download a new release. No silent patches. What ships is what runs, until you decide otherwise.
Source-available everything
Every line that runs is in the public repository. You can audit it, fork it, build it from source, sign your own builds.
OculiX has been deployed by organizations in regulated sectors — banking, defense, healthcare, government — primarily because it runs on-premises with no third-party calls. The project itself isn’t certified (SOC 2, HIPAA, FedRAMP), but its architecture makes it easier to fit into a certified environment you already control.
Common arrangements we’ve seen with regulated users:
Air-gapped deployment
Build from source on your own infrastructure, mirror artefacts internally, no internet required after the initial build. The architecture supports this out of the box.
Reproducible builds
The Maven artefacts on Central are produced by the same workflow as the GitHub releases — you can verify by re-running the workflow on your own infrastructure.
Custom disclosure window
If you find a security issue and need a coordinated disclosure window longer than the default 90 days for internal patching, we honor that.
CISO walkthrough
A code-path walkthrough of the relevant modules with your security team, scheduled by email. Not formalized, but it has happened multiple times.
For procurement-grade documentation packs (indemnification letters, written security architecture statements, audit log walkthroughs), reach out at [email protected].
