opub CLI handles local provider credentials and starts funded local agent sessions. Please keep reports minimal and sanitized.
Do not include provider keys, OAuth tokens, .env files, prompts, responses, private code, raw provider payloads, or other secrets in GitHub issues, discussions, logs, screenshots, or reproduction archives.
Security-sensitive areas include:
- Credential storage and fallback
--insecure-storagebehavior. - Secretless MCP boundaries and local session state.
- Agent environment injection for Copilot CLI, Claude Code, and Codex.
- Installer behavior, release artifacts, and checksum verification.
MCP must remain secretless. It must not be expanded to artifact tracking, prompt tracking, response tracking, private-code tracking, or work-unit tracking.
For private reports, email hello@opub.dev with a short summary and a sanitized reproduction path. Please do not attach secrets or raw provider payloads.
Public issues are welcome for non-sensitive bugs and documentation problems.