Security fixes are handled on the current main branch until the project begins publishing versioned releases.

Please report security issues privately through GitHub Security Advisories for this repository. If advisories are not available, open a minimal public issue asking for a private contact path and avoid posting exploit details, tokens, or private project data.

The expected first response time is within 7 days.

Relevant issues include unsafe file writes, unintended disclosure of Codex auth tokens, unsafe token refresh behavior, unintended disclosure of prompts or local paths, packaging supply-chain problems, and vulnerabilities in GitHub Actions.

Do not attach auth.json, bearer tokens, refresh tokens, generated private images, or private prompts to public issues.