Security: 0xroylee/devos.ing
Security
Treat API keys and tokens as environment-provided secrets.
Do not hardcode credentials in repository files.
Keep environment resolution centralized in packages/cli/src/features/config/.
Local secret storage uses ~/.devos/config/env.sqlite; never commit this database.
Avoid raw shell command construction in workflow logic.
Use module-level helpers for command execution and argument handling.
Linear access is scoped by configured API key and optional project routing.
GitHub actions should run through authenticated gh usage.
Codex execution settings should remain explicit in environment or onboarding-owned state.
Docker-isolated Codex execution is planned work (ROY-95) and not active in this branch.
When Docker mode is implemented, container isolation will not remove access to host paths that are explicitly mounted into the container.
Host/container UID or GID mismatches can create files with unexpected ownership (for example root-owned artifacts) on mounted paths.
Mounting CODEX_HOME into the container can expose Codex credentials and configuration present in that directory.
Prefer minimal container privileges; avoid workflows that require privileged containers or Docker socket mounting.
There aren't any published security advisories
You can’t perform that action at this time.