Skip to content

Security: nuuxcode/codex-destructive-guard

SECURITY.md

Security policy

Enforcement boundary

Codex Destructive Guard inspects the visible JSON input of a matching tool call only when Codex routes that call through the installed, enabled, and trusted PreToolUse hook. If invoked, it denies matching operations before that tool call executes. Malformed, incomplete, oversized, or internally uninspectable hook input fails closed. Allowed calls produce no output, and denied calls report only stable rule IDs and matched labels—not the full command or tool payload.

Full Access does not override a denial from a hook that runs. Full Access also does not turn this hook into system-wide enforcement: an untrusted, disabled, unsupported, or unrouted action is outside the boundary.

The guard:

  • runs locally;
  • has no third-party Python dependencies;
  • makes no network requests;
  • stores no telemetry or command history;
  • does not read project files, credentials, or environment files.

Important limits

This is a defense-in-depth guardrail, not a sandbox or backup system. It does not reliably detect ordinary output redirection, tee, an overwriting cp or mv, a generic Edit/Write overwrite, destructive behavior hidden inside an apparently safe script or compiled program, remote service side effects, browser actions, or tools that do not pass through the hook. Dynamic or novel syntax can evade a pattern, while conservative matching can cause false positives. The guard does not inspect filesystem state to infer whether a destination already exists.

The context classifier ignores dangerous words only in narrowly proven non-executable text: standalone search commands, terminal-only echo/printf, Git commit messages, and shell comments. A pipe, redirection, command/process substitution, backtick, malformed quote, or ripgrep preprocessor keeps the complete statement under strict scanning. Ripgrep hostname helper programs are treated the same way.

The documented platform contract covers Codex's Bash, apply_patch, and MCP hook matchers. Compatibility aliases are included for current clients, but users should verify the active hook in /hooks after every install or update.

Keep tested backups and version control, prefer sandboxed permission modes, separate production credentials, and review unfamiliar scripts before running them. Never use this guard as the sole control protecting production data.

Reporting a vulnerability

Please use GitHub's private vulnerability reporting for this repository. Do not include real credentials, private commands, or sensitive file contents in the report.

There aren't any published security advisories