Security and visibility model

Threat model focus

The main risk is accidental exposure: serving on a public interface by mistake, exporting private entries, or publishing files without review.

Visibility states and scopes

• private: local-only by default, excluded from public/unlisted exports.
• unlisted: included only when scope is unlisted or all.
• public: included in public exports.

Scope behavior in code:

• public => only public
• unlisted => public + unlisted
• all => all visibility levels (requires explicit danger flag)

link-garden set-visibility --id <bookmark_id> --visibility public
link-garden export --format html --out ./exports --scope all --dangerous-all

Secure defaults

default_visibility: private
export_default_scope: public
serve_default_scope: public
server_bind_host: 127.0.0.1
require_allow_remote: true

If config.yaml is missing, Link Garden falls back to these secure defaults.

Doctor checks

link-garden doctor
link-garden doctor --rebuild-index
link-garden doctor --fix

The doctor command checks for common issues, including:

• config warnings and insecure config values
• invalid frontmatter or missing bookmark files
• duplicate IDs/URLs in index data
• private bookmark URLs leaking into exported HTML

Non-goals

• No built-in internet auth gateway.
• No multi-tenant isolation model.
• No managed cloud security layer.

Full policy: SECURITY.md.