Codais is an early-stage prototype that touches local files, shell execution, relay tokens, and Codex CLI workflows. Please treat security-sensitive findings carefully.
Do not post secrets, exploit details, private workspace data, tokens, logs with credentials, or private screenshots in a public issue.
If you believe you found a vulnerability:
- Open a minimal public issue that names the affected area and asks for a private disclosure path.
- Do not include reproduction steps that expose private data or make the issue easy to exploit.
- Include your preferred contact method if you are comfortable sharing it.
Until a dedicated private security contact is available, security reports are coordinated through GitHub issues with sensitive details withheld from the public thread.
Please be especially careful with changes involving:
- Companion authentication and authorization.
- Workspace file browsing and file preview behavior.
- Codex CLI execution boundaries.
- Relay pairing, access tokens, refresh tokens, revocation, and WebSocket routing.
- Storage of tokens or API keys in Keychain, environment variables, local state, or logs.
- CORS, host binding, and endpoint exposure outside local development.
- Set
COMPANION_TOKENbefore exposing the companion beyond local-only development. - Do not commit
.envfiles, relay state, API keys, bearer tokens, signing material, provisioning profiles, or private screenshots. - Keep relay state and local development data out of version control.
- Redact private workspace paths, device names, URLs, and user identifiers from logs and screenshots before sharing.
Codais does not currently have stable releases. Security fixes are handled on the main branch while the project is in prototype status.