Please report issues related to:

• secret handling
• provider switching safety
• runtime lease / restore behavior that can corrupt live config
• unintended credential exposure in history, probe cache, generated files, or activation env files

Security fixes are handled on the newest public release line first.

• main: best-effort triage for issues not yet released
• latest tagged release: fully supported for security fixes and coordinated disclosure
• older tags: may be asked to upgrade first before a fix is confirmed or backported

Do not open a public issue for an active vulnerability or a report that contains sensitive material.

Use one of these private reporting paths:

• https://github.com/Boulea7/ccswitch-terminal/security/advisories/new
• mailto:opensource@lnzai.com

Recommended order:

1. Use GitHub Security Advisories private reporting when it is available to you.
2. If you cannot use GitHub private advisories, email opensource@lnzai.com.
3. Only fall back to a public issue when both private channels are unavailable, and remove all sensitive details first.

Include:

• affected version, commit, or branch
• whether the report applies to main only or to an already published release noted in CHANGELOG.md
• reproduction steps
• impact and attacker prerequisites
• sanitized logs, screenshots, or temp-home artifacts
• whether the issue requires a managed CLI to already be installed

Please do not send:

• real API keys, tokens, cookies, or .env contents
• absolute local paths, usernames, hostnames, or workstation-specific directory layouts
• live provider configs copied directly from your machine without redaction

If you report by email, include [security] in the subject line and provide the same sanitized reproduction details listed below.

If private advisories are unavailable from your account and email is not possible, open a public issue with sensitive details removed and explicitly say that a private security follow-up is needed.

GitHub CodeQL is enabled for this repository, but automated alerts are only an additional signal. They are not a substitute for a private security report when you have a real exploit path or sensitive reproduction details.

• Initial acknowledgement target: within 3 business days
• Reproducibility / severity follow-up target: within 7 calendar days after acknowledgement
• Status updates target: at least every 14 calendar days until the issue is resolved or a mitigation is published

These are response targets, not guarantees of a fixed release date.

• Never include real API keys, tokens, cookies, session exports, or auth-bearing URLs in reports.
• Never include absolute local paths such as /Users/..., machine names, or usernames unless they are essential to reproduce the issue.
• Prefer reproductions that use temp directories, fake homes, and test tokens.
• If the issue depends on generated ~/.ccswitch/*.env files, describe the shell and whether it is POSIX-compatible.
• If you must attach config examples, replace provider names, relay domains, and file paths with placeholders before sending them.

Codex ChatGPT providers may involve local snapshots of ~/.codex/auth.json under ~/.ccswitch/codex-chatgpt/. Treat those files as private credentials.

When reporting Codex account switching issues:

• Redact chatgpt_access_token, id_token, refresh tokens, cookies, and account-specific identifiers.
• Replace real emails and provider names with placeholders such as user-a@example.test, pro, and pro1.
• Include whether you used ccsw capture codex <provider>, ccsw login codex <provider>, cxsw sync on, or cxsw share prepare.
• Separate Codex CLI login problems from Codex Apps / remote MCP startup problems. MCP errors involving codex_apps, openaiDeveloperDocs, deepwiki, OAuth, proxy, or WebSocket transport may need their own sanitized diagnostics.