Product
Verification Pipeline Context Management AI Agents Code Editor Multi-Model AI Code Review Cloud Publish Deploy Project Memory HQ Kanban Board Power Users
Platforms
Desktop App CLI VS Code Web
Resources
Pricing Documentation Blog Community Changelog Roadmap FAQ Mulu Certified
Company
Mission Support Security Contact Status Our Promise Legal
Download free
Security

Security at Mulu Code

Your code, your data, your credentials. Protected by design.

Last updated: March 2026

Overview

Security is foundational to Mulu Code, not an afterthought. We follow a local-first, zero-trust architecture: your project files never leave your machine unless you explicitly choose to deploy. The app communicates with external services only for AI model inference and authentication, and both channels are secured with the measures described below.

Local-First Architecture

All project data lives on your local machine. When you open a project, Mulu Code reads and writes files directly to your chosen directory. There is no background sync, no cloud mirroring, and no silent uploads.

The only network traffic the app generates is for AI inference (routed through our secure proxy), user authentication, and update checks. None of these transmit your project source code.

Encryption

Data at Rest

Sensitive data stored locally is protected with AES-256-GCM encryption. Each encryption operation uses a cryptographically random salt and initialization vector, with key derivation via a memory-hard algorithm.

OS-Level Credential Storage

Credentials requiring maximum protection are delegated to your operating system's native credential store -- Keychain on macOS, DPAPI on Windows, and the Secret Service on Linux.

In-Transit Encryption

Secrets passed between internal application processes are encrypted with a session-scoped key generated at app startup. Plaintext values are held in memory only briefly and immediately cleared.

Process Isolation

Mulu Code enforces strict process isolation. The UI layer runs in a sandboxed environment with no direct access to the filesystem, system APIs, or credentials. All operations go through a narrow, explicitly defined API surface.

Content Security Policy. Production builds enforce a strict CSP: script sources are restricted to the application itself, connection targets are limited to known API endpoints, and object embeds are blocked entirely.

Secure API Routing

All AI model requests are routed through a secure proxy that holds provider API keys as environment secrets. These keys are never sent to, stored on, or accessible from your device.

The proxy enforces origin validation, rejecting requests from unauthorized sources. Rate limiting at 30 requests per minute per IP prevents abuse.

File System Security

The application maintains an allowlist of project directories that you have explicitly opened. Every file operation validates that the target path falls within an allowed directory. Paths are normalized and checked to prevent traversal attacks.

Additional protections include a 10 MB file size limit for read operations and a blocklist of dangerous file extensions (.exe, .dll, .bat, .cmd, .sh, .ps1).

Terminal Safety

Terminal commands are screened against a blocklist of dangerous patterns before execution. Destructive operations, privilege escalation attempts, and fork bombs are automatically rejected.

Secrets Management

Mulu Code provides a secure flow for managing environment variables. Variable names are validated to prevent injection, and target file paths are verified. Values are encrypted before internal transmission, decrypted only at the point of writing, and immediately cleared from memory.

Security Scanner

Mulu Code includes a built-in security scanner that analyzes your project for vulnerabilities. The scanner runs in a background thread and uses a two-stage approach:

Stage 1: Pattern Detection -- Files are scanned for hardcoded secrets, dangerous code patterns, and common security misconfigurations.

Stage 2: AI-Powered Review -- Flagged files are analyzed by an AI model to distinguish real vulnerabilities from false positives.

Cloud

Apps deployed to Mulu Cloud receive DDoS protection, automatic SSL certificate provisioning, and HTTPS by default. The database layer provides row-level security (RLS) policies.

Data & Privacy

Mulu Code does not collect telemetry or usage analytics by default. We do not sell or share your data. We do not use your code, prompts, or project data to train AI models.

You can delete your account and all associated cloud data at any time.

Reporting Security Issues

If you discover a security vulnerability, please report it through our contact page with the subject "Security Report." We will acknowledge receipt within 48 hours.

We ask that you practice responsible disclosure and refrain from publishing details until we have had the opportunity to investigate and address the issue.