Skip to content

Security: roman-ryzenadvanced/Codex-Launcher-Any-AI-Provider

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
10.13.x
3.13.x
< 3.10

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via:

You should receive a response within 48 hours. If the issue is confirmed, a patch will be released as soon as possible.

Security Considerations

API Key Storage

  • API keys are stored locally in ~/.codex/endpoints.json
  • Keys are never transmitted to any server except the configured AI provider
  • The proxy does not log API keys
  • Recommendation: Set file permissions to 600 on endpoints.json

OAuth Tokens

  • OAuth tokens for Google Gemini/Antigravity are stored locally
  • Tokens are refreshed automatically using PKCE flow
  • Token storage location: ~/.codex/

Proxy Security

  • The proxy binds to 127.0.0.1 by default (localhost only)
  • Do not expose the proxy to public networks without authentication
  • The --port flag changes the listening port
  • The /admin/* endpoints require the admin API key if configured

Network

  • All outbound connections use HTTPS/TLS
  • Connection pooling with persistent connections
  • SSL certificate verification is always enabled

Threat Model

  • In scope: API key leakage, unauthorized proxy access, supply chain attacks on dependencies
  • Out of scope: Compromised AI provider endpoints, local machine compromise
  • Zero dependencies: The project uses only Python stdlib, minimizing supply chain risk

Best Practices for Users

  1. Protect your API keys: Set chmod 600 ~/.codex/endpoints.json
  2. Use localhost binding: Default 127.0.0.1 binding prevents network exposure
  3. Keep updated: Update to the latest version for security fixes
  4. Review configs: Periodically check ~/.codex/ for unauthorized changes
  5. Docker: Use the provided Docker image for additional isolation

There aren't any published security advisories