NightPilot is a local automation wrapper around Codex. It can invoke shell commands and Codex workers, so treat it like a developer tool with access to your project files.
Open a GitHub issue for non-sensitive security concerns.
For sensitive reports, avoid posting secrets or exploit details publicly. Create a minimal private reproduction and contact the repository owner through GitHub.
Security-relevant areas include:
- unsafe path handling;
- accidental credential logging;
- unsafe deletion or reset behavior;
- incorrectly bypassed verification policy;
- commands that publish, pay, or authenticate without explicit user intent;
- public docs containing private local paths or secrets.
NightPilot should stop or park tasks for:
- external account authorization;
- missing secrets;
- payment;
- irreversible production publishing;
- broad deletion;
- destructive Git reset;
- sustained resource pressure.
NightPilot does not manage credentials. Do not store API keys, tokens, cookies, browser profiles, or production secrets in .codex-autonomous/ or the repository.