Files
The BROKE Cluster Team 7f10187bee fix: Runtime gates + unit tests; benchmark GPU analysis
Core:
- Run preflight passes probe/framework to audio_runtime_compatibility
- STT model_type gate extended (vibevoice, audio)
- MLX 0.30.x compat: catch Exception in whisper_tokenizer
- Embedding-gate unit tests (3 tests)
- Removed get_encoding duplication (-45 LOC)

Benchmark:
- GPU analysis section in reports
2026-02-07 23:38:34 +01:00

169 lines
7.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Policy
## Overview
MLX Knife is designed to run locally on your Apple Silicon Mac. It prioritizes user privacy and security by keeping all model execution local.
**Important distinction:** MLX Knife integrates upstream libraries (mlx-lm, mlx-vlm, mlx-audio, transformers) whose behavior is outside our direct control. This document describes what **mlx-knife itself** does; upstream libraries may behave differently.
## Security Model
### What MLX Knife Itself Does
- ✅ Runs models locally on your device
- ✅ Downloads models only from HuggingFace (via `pull`, `clone`)
- ✅ Uploads only when you explicitly run `push` (opt-in, requires credentials)
- ✅ API server binds to localhost by default
- ✅ No telemetry or usage tracking
- ✅ No automatic updates or phone-home features
### What MLX Knife Itself Doesn't Do
- ❌ No model outputs are logged or transmitted
- ❌ No user tracking or analytics
- ❌ mlx-knife code does not initiate network requests during `run`, `server`, or `show`
### Third-Party Libraries
MLX Knife uses external libraries to load and run models. These libraries may download additional files when a model is first used - this is outside mlx-knife's control.
**What this means:**
- Downloading a model with `pull` does not guarantee fully offline use
- Some models may need additional downloads when first run
- We recommend models from `mlx-community/*` but cannot guarantee third-party behavior
**For offline environments:**
Test each model while online before relying on offline use. Use `mlxk clone` to create a local workspace for better isolation.
## Reporting Security Vulnerabilities
If you discover a security vulnerability in MLX Knife, please help us address it responsibly:
### Do NOT:
- ❌ Open a public GitHub issue
- ❌ Post about it on social media
- ❌ Exploit it maliciously
### Please DO:
1. **Email**: Send details to broke@gmx.eu
2. **Or**: Create a private security advisory on GitHub
3. **Include**:
- Affected version(s)
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and work on a fix.
## Security Considerations
### Model Downloads (`mlxk pull`)
- **Source**: Models are downloaded from HuggingFace only
- **Verification**: HuggingFace provides checksums for file integrity
- **Risk**: Malicious models could theoretically exist on HuggingFace
- **Mitigation**: Only download models from trusted organizations (e.g., `mlx-community`)
### API Server (`mlxk server`)
```bash
# Safe (localhost only):
mlxk server --port 8000
# CAUTION (network accessible):
mlxk server --host 0.0.0.0 --port 8000
```
**WARNING**: When using `--host 0.0.0.0`:
- The API becomes accessible from your network
- No built-in authentication or rate limiting
- Anyone on your network can use your models
- Could potentially be exposed to the internet (check firewall!)
**Recommendations for network access:**
- Use a reverse proxy with authentication (nginx, Caddy)
- Implement firewall rules
- Never expose directly to the internet
- Consider VPN-only access
### Model Execution
- **Memory**: Large models can consume significant RAM/GPU memory
- **CPU/GPU**: Model execution can be resource-intensive
- **Disk**: Models are cached locally (can be multiple GB each)
### File System Access
- **Cache Location**: `~/.cache/huggingface/hub` or `$HF_HOME`
- **Permissions**: Standard user permissions apply
- **Cleanup**: Use `mlxk rm <model>` to safely remove models; avoid manual deletion in the user cache
### Hugging Face Cache Integrity
- Separate contexts: use an isolated test cache for automated tests; keep the user cache for manual/production work
- HF_HOME: set explicitly for user work if needed; tests should not override user HF_HOME by default
- Safe operations: reads (`list`, `health`, `show`) are always safe; coordinate writes (`pull`, `rm`) in maintenance windows
- Test safeguards: the test suite places a sentinel in the test cache and enforces deletion guards to prevent accidental user-cache modification
### Alpha Push (`mlxk2 push`)
The 2.0 alpha introduces an alpha upload capability. Treat it as optin, with explicit user control.
#### Scope and defaults
- Uploadonly: pushes a specified local folder to a Hugging Face model repo via `huggingface_hub.upload_folder`.
- Requires `HF_TOKEN`; in alpha, `--private` is required to reduce accidental exposure.
- Default branch is `main` (overridable with `--branch`). No manifests or content validation yet.
- Honors default ignore patterns and merges project `.hfignore` when present (e.g., excludes `.git/`, `.venv/`, `__pycache__/`, `.DS_Store`).
#### Privacy and boundaries
- Only files under the path you provide are considered; push does not scan your global caches or home directory.
- No prompts, logs, or runtime telemetry are uploaded.
- No background activity: nothing is sent unless you invoke `mlxk2 push`.
#### Safety controls
- Preflight without network: `--check-only` analyzes the local folder for obvious issues (e.g., missing shards, LFS pointers).
- Plan without committing: `--dry-run` lists prospective adds/deletes vs remote (no upload performed).
- Use restricted tokens and test repos when validating; prefer `--private` and organization/user repos you control.
#### Risks and mitigations
- Risk: Accidental upload of sensitive files included in the folder.
- Mitigate with a minimal, dedicated workspace, `.hfignore`, and `--check-only`/`--dry-run` before pushing.
- Risk: Pushing incomplete or corrupted weights.
- Mitigate by reviewing `workspace_health` from `--check-only` and model card requirements before uploading.
#### User responsibility
**You are responsible for complying with Hugging Face Hub policies and applicable laws (e.g., copyright/licensing) for any uploaded content.** Review all content before uploading and ensure you have appropriate rights to distribute the models and associated files.
#### Network and logging
- Network egress targets only Hugging Face over HTTPS; no thirdparty endpoints.
- In `--json` mode, hub logs may be captured in output for diagnostics; they are not transmitted elsewhere by MLX Knife.
## Security Best Practices
### For Users:
1. **Download models only from trusted sources** (prefer `mlx-community/*`)
2. **Keep the API server local** unless you need network access
3. **Monitor disk usage** - models can be large
4. **Review model cards** on HuggingFace before downloading
5. **Keep Python dependencies updated**: `pip install --upgrade mlx-knife`
### For Contributors:
1. **Never commit secrets** (API keys, tokens)
2. **Validate all inputs** in new features
3. **Use secure defaults** (localhost binding, etc.)
4. **Document security implications** of new features
5. **Test for resource exhaustion** (memory, disk)
## Supported Versions
We provide security updates for these versions:
| Version | Security Support |
| ------- | ------------------ |
| 2.0.4 | :white_check_mark: Current stable |
| 2.0.3 | :white_check_mark: Supported |
| < 2.0.3 | :x: Upgrade recommended |
## Additional Resources
- [HuggingFace Security](https://huggingface.co/docs/hub/security)
- [Apple Platform Security](https://support.apple.com/guide/security/welcome/web)
- [Python Security](https://python.readthedocs.io/en/latest/library/security_warnings.html)
---
**Remember**: Security is everyone's responsibility. If something doesn't feel right, please report it! 🦫