Security reports are welcome for the current default branch, the latest release tag, and the active runtime/export pipeline represented by this repository.

Do not open public issues for security vulnerabilities.

Preferred reporting path:

1. Use GitHub private vulnerability reporting for this repository.
2. Include reproduction details, impact, affected files, and any proposed mitigation.

Fallback when private reporting is unavailable:

1. Email danilsilantyevwork@gmail.com with subject SECURITY: codex-cli-bootstrap.
2. Do not publish technical details in a public issue.
3. If email is unavailable, open a minimal public issue that only requests a private contact channel from the maintainer without disclosing the vulnerability details.

• Secret handling or credential exposure
• Unsafe bootstrap, install, or verification behavior
• Rules or automation that allow dangerous actions too broadly
• Supply-chain or integrity issues in the restore pipeline
• Documentation that could cause users to expose secrets or unsafe state

• Initial triage target: within 72 hours
• Follow-up status target: within 7 days
• Fix timing depends on severity, exploitability, and maintainer capacity

Please avoid public disclosure until the issue has been reviewed.