codex-spine is a user-level macOS workstation bootstrap and maintenance tool. Its security-relevant behavior is:
- writing generated Codex config under
~/.codex/config.toml - managing symlinks under
~/.codex/and~/.local/bin/ - managing the account-wide
uvpolicy at~/.config/uv/uv.toml - editing user shell startup files to source managed fragments
- installing a user LaunchAgent at
~/Library/LaunchAgents/codex-spine.qmd-codex-chat.plist - bootstrapping Homebrew when it is missing, which can trigger a one-time macOS password prompt before the rest of the install continues in user space
- installing or updating managed third-party user-space tools such as @tobi/qmd, and wiring the optional jGravelle Munch MCP suite (
jcodemunch-mcp,jdocmunch-mcp, andjdatamunch-mcp) through constrained absoluteuvrunner invocations with a stable MCPPATH, backed byexclude-newer = "7 days"as the defaultuvquarantine plus package-specific suite overrides
Outside the optional first-run Homebrew bootstrap path, codex-spine does not require root, install privileged daemons, expose a network service, or act as a sandbox for untrusted code.
- The repo and generated public config are intended to remain secret-free.
- Provider credentials should stay in the user’s normal Codex or operating-system secret mechanisms, not in tracked files.
- The default @tobi/qmd-backed memory flow stores local transcript and derived project-memory data under
~/.cache/qmd/codex_chat. Treat that local index as sensitive if your Codex transcripts contain sensitive content. - Optional jGravelle Munch MCP suite enablement stores only local enablement state under the repo-local
.state/directory. It does not store credentials or a copy of the upstream terms text.
- Tracked repo files and generated local overlays are part of the trusted local installation surface.
- Upstream package artifacts and the fetched terms text shown during optional enablement are external inputs.
codex-spinereduces risk through explicit opt-in enablement and managed<2.0compatibility ceilings for the optional jGravelle Munch MCP suite, not through sandboxing. - Indexed source trees, Codex transcripts, and project-memory material may contain arbitrary user or project content.
codex-spinedoes not claim to sanitize that content for downstream tools.
- single-user workstation operation
- user-space installation without elevated privileges
- macOS-first automation; Linux and Windows analogs are documented inline but not supported as packaged automation in v1
Report security concerns confidentially to the maintainer rather than opening a public issue with exploit details until a dedicated public reporting channel is published.