Security updates are provided for the current maintained release line.

codex-multi-auth handles OAuth credentials and account metadata locally.

Key controls:

• PKCE-based OAuth flow.
• Local storage under ~/.codex/multi-auth (or CODEX_MULTI_AUTH_DIR).
• Refresh-token lifecycle management and account health isolation.
• No project-owned telemetry backend.

• Do not share ~/.codex/ directories.
• Never commit auth files, logs, or cache artifacts.
• Review connected apps in ChatGPT settings periodically.
• Enable debug/body logging only for short-lived troubleshooting sessions.

Sensitive logging toggles:

• ENABLE_PLUGIN_REQUEST_LOGGING=1 (metadata)
• CODEX_PLUGIN_LOG_BODIES=1 (raw bodies; sensitive)

If you discover a vulnerability:

1. Do not open a public issue.
2. Contact the maintainer privately via GitHub profile contact channel.
3. Include:
   • vulnerability description
   • reproduction steps
   • impact assessment
   • suggested mitigation (optional)

Target response time: within 48 hours.

• Fixes are prepared before public disclosure.
• Reporter attribution is provided unless anonymity is requested.
• Disclosure timing is coordinated to reduce user risk.

The following are not treated as vulnerabilities in this repository:

• OpenAI platform outages.
• Account/subscription entitlement limitations.
• Expected upstream rate limiting.
• Requests to bypass OpenAI terms or controls.

Security override rationale (package.json -> overrides):

• hono: pinned to ^4.12.3 to keep builds out of the vulnerable 4.12.0-4.12.1 range reported in GHSA-xh87-mx6m-69f3 (authentication bypass advisory).
• rollup: pinned to ^4.59.0 to keep the Vite and Vitest transitive graph above the vulnerable <4.59.0 range surfaced by npm audit.

Before release and after dependency changes:

npm run audit:ci
npm run lint
npm run typecheck
npm test
npm run build

For non-vulnerability security questions, open a GitHub discussion.

This project is not affiliated with OpenAI. For OpenAI platform security concerns, contact OpenAI directly.