Skip to content

Security: Anes-03/Codais

Security

SECURITY.md

Security Policy

Codais is an early-stage prototype that touches local files, shell execution, relay tokens, and Codex CLI workflows. Please treat security-sensitive findings carefully.

Reporting a Vulnerability

Do not post secrets, exploit details, private workspace data, tokens, logs with credentials, or private screenshots in a public issue.

If you believe you found a vulnerability:

  • Open a minimal public issue that names the affected area and asks for a private disclosure path.
  • Do not include reproduction steps that expose private data or make the issue easy to exploit.
  • Include your preferred contact method if you are comfortable sharing it.

Until a dedicated private security contact is available, security reports are coordinated through GitHub issues with sensitive details withheld from the public thread.

Security-Sensitive Areas

Please be especially careful with changes involving:

  • Companion authentication and authorization.
  • Workspace file browsing and file preview behavior.
  • Codex CLI execution boundaries.
  • Relay pairing, access tokens, refresh tokens, revocation, and WebSocket routing.
  • Storage of tokens or API keys in Keychain, environment variables, local state, or logs.
  • CORS, host binding, and endpoint exposure outside local development.

Local Development Guidance

  • Set COMPANION_TOKEN before exposing the companion beyond local-only development.
  • Do not commit .env files, relay state, API keys, bearer tokens, signing material, provisioning profiles, or private screenshots.
  • Keep relay state and local development data out of version control.
  • Redact private workspace paths, device names, URLs, and user identifiers from logs and screenshots before sharing.

Supported Versions

Codais does not currently have stable releases. Security fixes are handled on the main branch while the project is in prototype status.

There aren't any published security advisories