If you discover a security vulnerability, please report it by opening an issue or contacting the maintainers directly.

Codie follows these security practices:

• No secrets in artifacts: Never store API keys, tokens, or credentials in .planning/ files
• Prompt injection defense: All file contents are treated as untrusted data
• Path validation: File operations are restricted to project directories
• External service confirmation: Always confirm before interacting with external services