Report security issues privately to the repository owner instead of opening a public issue.
This repo enforces secret scanning in two places:
- Local hooks:
npm run hooks:installinstalls a pre-commit hook that runs stagedgitleaks. - CI:
.github/workflows/security-gitleaks.ymlruns gitleaks on pull requests and pushes tomain.
Run a full local scan with:
npm run security:gitleaksRun the staged-only scan with:
npm run security:gitleaks:stagedThe scan is configured by .gitleaks.toml. Only deterministic fixtures and generated output should be allowlisted; real secrets, provider keys, OAuth tokens, private keys, .env files, and machine-local credentials must not be committed.
OpenCodeHX will exercise provider auth, tool execution, shell access, config loading, and generated TypeScript. Treat those surfaces as security-sensitive:
- Keep credentials at runtime boundaries and fixtures credential-free by default.
- Prefer typed externs/facades over broad
Dynamicfor security-relevant APIs. - Do not encode personal paths, tokens, or provider keys in
genes-tsrepros. - Keep generated artifacts reproducible and reviewable before considering any public release.