Security — Codexini Aura

Report a vulnerability: email [email protected] with the subject [security]. Include reproduction steps, impact, and affected version if you know it.

Security model in plain English

We need Aura on your Mac (local app) to keep project context close, and we need Codexini at the edge (Cloudflare Worker) to hold service secrets and account state. The upstream model key never ships in the app.

What stays local

Project folders and source files unless you explicitly ask a model-backed task to use them.
Local Aura configuration and runtime logs.
Most voice/session context used to decide what should happen next.

What reaches Codexini

Browser account requests, magic-link sessions, device records, and billing/account state.
Live voice or text frames needed to operate the model-backed call.
Release and installer requests used to deliver the public app.

What to include in a report

Exact product surface: website, Worker API, installer, Homebrew, DMG, Swift app, or plugin.
Steps to reproduce with test accounts or fake data where possible.
Any logs, request IDs, or versions needed to verify the issue.
Whether the issue exposes secrets, account data, local files, or unauthorized code execution.