| Version | Supported |
|---|---|
| 1.x | ✅ |
If you discover a security vulnerability in codex-rotate, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities
- Email your findings or open a private security advisory
- Include steps to reproduce the vulnerability
- Allow reasonable time for a fix before public disclosure
codex-rotate stores Codex CLI credentials locally with the following protections:
- Directory permissions:
~/.codex-accounts/is created with700(owner-only access) - File permissions: Credential files use
600(owner read/write only) - No network transmission: Credentials are never sent anywhere — they stay on your local filesystem
- Atomic operations: Symlink swaps and flock-based locking prevent partial-write corruption