Nodix is being prepared for a public source release. This repository is public now, but the first complete source and package release will follow after the public-surface review is complete.
Please do not open a public issue for a suspected vulnerability. Use GitHub's private vulnerability reporting flow for this repository when available, or contact the maintainers through the security contact listed by the Sno AI organization.
- Do not commit API keys, tokens, passwords, local database files, or
.envfiles. - Keep local secrets in environment files or an external secret manager.
- Treat plugin manifests, installer scripts, and model/provider configuration as security-sensitive release surfaces.
- Default local storage paths must be documented before the first complete source release.
- Optional network or cloud-provider behavior must be opt-in and clearly documented.
- Security metadata such as
openclaw.security.jsonmust match the shipped package behavior before npm publication.