TrinaxAI is a local-first application. Your code, documents, conversations, and queries never leave your machine. There are no cloud calls, no telemetry, no analytics backends, and no subscriptions that could be data-mined. The only active network endpoints are Ollama onDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/TrinaxCode/TrinaxAI/llms.txt
Use this file to discover all available pages before exploring further.
localhost:11434 and the RAG API on localhost:3333 — both bound to your own device.
This page explains the full security model: what is protected by default, what you must explicitly enable to expand access, and the recommended hardening steps for LAN or remote deployment.
Privacy Guarantee
Every component runs on your local machine or trusted LAN:- Ollama — runs on
127.0.0.1:11434by default. All LLM inference is local. - RAG API — FastAPI backend on
localhost:3333. All vector search, BM25 retrieval, and reranking are local. - PWA — static React app served over self-signed HTTPS. No external API calls except Google Fonts.
- Indexer — reads only files you specify. Writes only to
storage/andlocal_sources/within the repo directory.
The README FAQ confirms: “No chat data, code, or documents leave your machine.” The only external request from the PWA is to Google Fonts for typography — no content is transmitted.
Security Layers
The table below maps each component to its default posture and how to harden it further.| Layer | Default | How to harden |
|---|---|---|
| RAG API | Binds to 0.0.0.0:3333 for LAN PWA and phone access | Set TRINAXAI_HOST=127.0.0.1 for localhost-only |
System endpoints (/system/*) | Require localhost origin or valid admin token | Set TRINAXAI_ADMIN_TOKEN to a strong value; keep TRINAXAI_ALLOW_LAN_SYSTEM=0 |
| Ollama | Binds to 127.0.0.1:11434 by default | Firewall port 11434; do not set OLLAMA_HOST=0.0.0.0 unless required |
| PWA | Served over HTTPS with a generated self-signed certificate | Trust the cert per device; use nginx/Caddy with Let’s Encrypt for a custom domain |
| File uploads | Sanitized and sandboxed to local_sources/collections/ | Adjust TRINAXAI_UPLOAD_MAX_BYTES and TRINAXAI_UPLOAD_MAX_FILES |
| CORS | localhost + your LAN IP allowlist | Customize via TRINAXAI_CORS_ORIGINS |
LAN System Control
System endpoints (/system/*) provide privileged operations: starting and stopping services, triggering indexing, uploading files, and modifying configuration. These endpoints are disabled for LAN origins by default.
Enabling LAN system control
- At install time (recommended)
- Via .env
TRINAXAI_ADMIN_TOKEN automatically and writes it to .env.TRINAXAI_ALLOW_LAN_SYSTEM=0 (the default), a LAN attacker can reach only read-only endpoints:
GET /health— service statusGET /resources— model listGET /collections— collection metadataGET /app-state— shared key-value store
Admin Token
When LAN system control is enabled, all/system/* requests from non-localhost origins must carry a valid admin token.
Passing the token
Generating a strong token
.env:
Localhost requests (from the same machine,
127.0.0.1 or ::1) are always allowed to system endpoints regardless of the admin token. The token is only required when TRINAXAI_ALLOW_LAN_SYSTEM=1 and the request comes from a LAN IP.CORS Configuration
TrinaxAI uses CORS to restrict which browser origins can call the RAG API. By default, only the local PWA origin is allowed.| Variable | Default | Description |
|---|---|---|
TRINAXAI_CORS_ORIGINS | https://localhost:3334,http://localhost:3334 | Comma-separated list of allowed origins. Add your LAN IP if accessing the PWA from other devices. |
TRINAXAI_CORS_ORIGIN_REGEX | LAN subnet regex (localhost, 10.x, 192.168.x, 172.16-31.x on ports 3334/3335) | Regex pattern for dynamic origin matching. Override to narrow or expand the allowed subnet (e.g., https://192\.168\.1\.\d+:3334). |
Example: Allow LAN access from a phone
Example: Allow any LAN IP on the 192.168.1.x subnet
TLS Configuration
| Variable | Type | Default | Description |
|---|---|---|---|
TRINAXAI_RAG_HTTPS | bool | 1 | Serve the RAG API over HTTPS. The installer generates a self-signed certificate in certs/. |
TRINAXAI_TLS_VERIFY | bool | 0 | Whether the Python client verifies TLS certificates when calling the RAG API. Defaults to 0 for self-signed localhost certs. Set to 1 when using a CA-signed certificate (e.g., Let’s Encrypt). |
localhost and your LAN IP. You must trust it on each device that accesses the PWA:
- iOS: Safari will prompt to trust the certificate when first accessing
https://[LAN-IP]:3334. - Android: Chrome will show a “Your connection is not private” warning; proceed via “Advanced”.
- Desktop: Add the cert to your system keychain or browser trust store.
Rate Limiting
The RAG API enforces a token-bucket rate limit to prevent resource exhaustion on local hardware:| Variable | Default | Description |
|---|---|---|
TRINAXAI_RATE_LIMIT_PER_MINUTE | 30 | Maximum chat/retrieval requests per minute per IP address. Thread-safe token bucket implementation. |
Threat Model Summary
TrinaxAI’s threat model (documented in full in SECURITY.md) makes three assumptions:- Trusted local machine — the host is not compromised.
- Trusted LAN (when enabled) — devices on the same WiFi are trusted when
TRINAXAI_ALLOW_LAN_SYSTEM=1. - Untrusted internet — TrinaxAI should never be exposed directly to the internet without a VPN or authenticated reverse proxy.
Attack vectors and mitigations
Attack vectors and mitigations
| Scenario | Risk | Mitigation |
|---|---|---|
| LAN attacker, default config | Read-only endpoints only; chat is rate-limited. | Default config is safe. |
LAN attacker + ALLOW_LAN_SYSTEM=1, no token | Full system control — shutdown, indexing, file uploads. | Always set TRINAXAI_ADMIN_TOKEN. |
| Remote attacker (internet) | Should be impossible if ports are not forwarded. | Use a VPN; never forward ports 3333, 3334, 11434. |
| Malicious upload | Path traversal attempt in uploaded files. | Uploader uses _safe_rel_path() and _collection_slug() sanitization; absolute paths and .. entries are rejected. |
| Malicious backup tarball | Overwrite system files via backup.sh restore. | Tarball contents validated before extraction; absolute paths and .. entries are rejected. |
| Exposed Ollama | Anyone on LAN can use your models if OLLAMA_HOST=0.0.0.0. | Default installer binds Ollama to 127.0.0.1; firewall port 11434. |
Recommendations for LAN and Remote Access
For secure remote access, follow these steps:-
Use a VPN — Tailscale (zero-config, free for personal use) or WireGuard give you a private IP your devices can reach from anywhere.
-
Firewall the ports — restrict 3333, 3334, and 11434 to localhost and your VPN subnet.
-
Set a strong admin token — if you enable LAN system control:
-
Bind to localhost only — if you don’t need LAN PWA access:
-
Audit your install regularly:
Security Audit
Thetrinaxai doctor command performs a live health check of your installation and reports:
- Which profile and models are active
- Whether Ollama is reachable and which models are downloaded
- Whether the RAG API is running and healthy
- Active security settings (
ALLOW_LAN_SYSTEM,ADMIN_TOKENpresence, CORS origins) - Dependency versions and any known issues
Reporting Vulnerabilities
Do not open a public GitHub issue for security vulnerabilities. Instead, email trinaxcode@gmail.com with:- A description of the vulnerability
- Steps to reproduce
- Affected component (RAG API, PWA, CLI, installer, shell scripts)
- Whether you believe it is remotely exploitable