vector-search

This code implements a legitimate and well-scoped vector search and RAG pipeline for construction documentation. I found no signs of obfuscated or intentionally malicious code, remote code execution, or hard-coded credentials. The primary security concern is data exposure: the module reads arbitrary filesystem content, stores full-text chunks in vector DB payloads (which may be persisted locally or sent to remote Qdrant), and sends concatenated document text to OpenAI for RAG — all without redaction, PII filtering, or indexing policies. These behaviors create moderate risk of sensitive-data exfiltration and prompt-injection influence on downstream LLM outputs. With operational controls (restrict indexing scope, PII redaction, private DBs, and minimizing prompt context) the library can be used safely for its intended purpose.