Skip to content

Security: vanzan01/codex-protect

Security

SECURITY.md

Security policy

Scope

Codex Protect is a personal-use reference policy, not a complete security boundary. Reports are useful when a command documented as blocked is allowed through the same tested Codex execution path, when an allowed control is incorrectly blocked, or when setup guidance can damage or overwrite existing user configuration.

Reporting

Before a public release establishes a private reporting address, open a GitHub issue only when the report contains no secrets, credentials, private repository names, personal paths, or exploitable private details. For a sensitive bypass, contact the repository owner privately instead of publishing reproduction details.

Include:

  • Codex version and surface: CLI, app, or IDE.
  • Operating system, version and shell.
  • Bun version.
  • Relevant rule or hook category.
  • Whether the policy was trusted through CLI /hooks and Codex was restarted.
  • The smallest safe reproduction using a disposable repository.
  • Expected and observed PASS/FAIL result.

Never test a report against production repositories, writable production credentials, or valuable files.

Supported and validated environments

  • Windows: repository package validated with Codex CLI 0.144.1 and Bun 1.3.6; original live/destructive suite documented in docs/TEST_EVIDENCE.md.
  • macOS: primary-agent validation documented with macOS 26.5.1, Codex CLI 0.144.1 and Bun 1.3.14; subagent validation pending.
  • Linux: not currently claimed.

Response expectations

This personal project does not currently promise a formal response or remediation SLA. Security-sensitive claims must remain scoped to the exact versions and execution paths that were independently tested.

There aren't any published security advisories