Skip to content

Security: Dear-Ded/nightpilot-codex

Security

SECURITY.md

Security

NightPilot is a local automation wrapper around Codex. It can invoke shell commands and Codex workers, so treat it like a developer tool with access to your project files.

Reporting

Open a GitHub issue for non-sensitive security concerns.

For sensitive reports, avoid posting secrets or exploit details publicly. Create a minimal private reproduction and contact the repository owner through GitHub.

Scope

Security-relevant areas include:

  • unsafe path handling;
  • accidental credential logging;
  • unsafe deletion or reset behavior;
  • incorrectly bypassed verification policy;
  • commands that publish, pay, or authenticate without explicit user intent;
  • public docs containing private local paths or secrets.

Expected Guardrails

NightPilot should stop or park tasks for:

  • external account authorization;
  • missing secrets;
  • payment;
  • irreversible production publishing;
  • broad deletion;
  • destructive Git reset;
  • sustained resource pressure.

Not a Secret Store

NightPilot does not manage credentials. Do not store API keys, tokens, cookies, browser profiles, or production secrets in .codex-autonomous/ or the repository.

There aren't any published security advisories