ctxcohere is local-first. It does not send telemetry by default.

Security fixes are applied to the latest release line.

Please do not file a public issue for a suspected vulnerability.

Send a private report to the project maintainer with:

• A short description of the issue.
• Steps to reproduce.
• Expected impact.
• Any suggested fix or mitigation.

In scope:

• Path traversal in source snapshotting.
• Symlink handling.
• Secret leakage through captured context.
• MCP session handling.
• Unsafe patch promotion behavior.

Out of scope:

• Kernel-level sandbox escapes.
• Malicious agents deliberately bypassing the ctxcohere wrapper.
• Third-party agent behavior outside ctxcohere integrations.