Codex API Switchboard is designed as a static, local-only browser utility.
The public page must not:
- upload config files
- persist data in browser storage
- use cookies
- open WebSocket or EventSource connections
- send analytics or telemetry
- call external APIs
The Cloudflare Pages _headers file keeps connect-src 'none' to enforce the no-network model at the browser policy layer.
The visible output masks experimental_bearer_token by default. Copy and download actions use the full generated TXT in the current browser session.
Do not commit private config.toml files, generated TXT files containing real bearer tokens, screenshots containing secrets, or local machine paths.
Please open a GitHub issue with reproduction steps and browser details for security-relevant behavior.