WebMuse is an early-alpha OSS project for safer Codex-assisted reference-style website reconstruction workflows.
Security and privacy boundaries are part of the core product design.
Never commit:
- API keys;
- OpenAI or Codex login files;
- tokens;
- cookies;
- SSH keys;
- certificates;
- proxy settings;
- local absolute-path configuration;
- customer materials;
- private brand assets;
- recordings;
- private screenshots, raw screenshots, or customer screenshots;
- extracted frames;
- generated output sites;
- review package zips;
- runtime logs.
Current public builds do not enable real Codex CLI execution, OpenAI API calls, Ollama calls, LM Studio calls, or automatic website generation.
Future real execution must be gated by:
- readiness checks;
- dry-run plans;
- sandbox path validation;
- allowed write-root validation;
- forbidden-root checks;
- proof-check artifacts;
- approval gates;
- rollback confirmation;
- failure recovery rules.
AI-generated or AI-modified output must never write outside the allowed project workspace. The application must reject writes to installation directories, system directories, credential directories, source repository roots outside the selected project, and other unsafe locations.
Customer materials, logos, screenshots, recordings, and generated delivery packages should stay out of the public repository.
Curated public demo screenshots are allowed only when they are sanitized, low-risk, non-customer, non-secret, and used to explain the workflow.
Do not commit raw recordings, extracted frame sets, customer materials, credentials, local path configuration, full generated output-site artifacts, or third-party proprietary assets.
Reference-site screenshots, if used, must be low-risk and must be presented only as observation or layout-rhythm evidence, not as a clone target.
Curated motion frame strips or compressed original-speed motion previews may be committed when they are sanitized, low-risk, non-customer, non-secret, and used only to explain workflow evidence.
Raw long recordings and extracted frame folders should not be committed.
For now, use GitHub Issues for non-sensitive security concerns.
Do not post secrets, tokens, private customer files, or exploitable details publicly. If a sensitive report is needed, open a minimal issue asking for a private contact path without disclosing the sensitive content.