Skip to content

Security: codag-megalith/codag-cli

Security

SECURITY.md

Security

Reporting Vulnerabilities

Please report security issues privately instead of opening a public GitHub issue.

Email: security@codag.ai

Include the affected version, operating system, reproduction steps, and any logs or screenshots needed to understand the issue. Do not include secrets or customer data in the initial report.

Data Boundary

The Codag CLI is a local client for the hosted Codag API by default. Log lines passed to codag wrap, codag onboard, or Codag MCP tools are sent to the configured Codag API server for compression.

Provider credentials configured through codag setup are stored locally in ~/.config/codag/config.json. The file is written with mode 0600.

Use CODAG_SERVER or codag config set server <url> to target a local, staging, or self-hosted API.

Supported Versions

Security fixes are shipped in the latest released version of the CLI.

There aren't any published security advisories