Please report security issues privately instead of opening a public GitHub issue.
Email: security@codag.ai
Include the affected version, operating system, reproduction steps, and any logs or screenshots needed to understand the issue. Do not include secrets or customer data in the initial report.
The Codag CLI is a local client for the hosted Codag API by default. Log lines
passed to codag wrap, codag onboard, or Codag MCP tools are sent to the
configured Codag API server for compression.
Provider credentials configured through codag setup are stored locally in
~/.config/codag/config.json. The file is written with mode 0600.
Use CODAG_SERVER or codag config set server <url> to target a local,
staging, or self-hosted API.
Security fixes are shipped in the latest released version of the CLI.