How Codmir protects your data, code, and credentials.
Security & Compliance
Codmir is designed with security at every layer — from how we handle your credentials to how AI agents interact with your codebase.
Infrastructure Security
- Data in transit: All connections use TLS 1.3
- Data at rest: Encrypted at the database and storage layer
- API keys: Stored server-side only — the desktop client never holds provider keys locally
- Auth tokens: Opaque 32-character tokens (not JWTs) stored in the
cli_tokenstable
Authentication
- Email + password with optional 2FA
- OAuth via GitHub, GitLab, Google
- CLI authentication uses opaque tokens with server-side validation
- Session tokens are short-lived and rotated automatically
Agent Security
AI agents in Codmir operate under strict safety controls:
| Control | Description |
|---|---|
| Tool danger classification | Each tool is classified as safe or dangerous |
| Approval gates | Dangerous tool calls require explicit user approval |
| Rate limiting | Tier-based limits on tokens, API calls, and voice minutes |
| Iteration caps | Agent execution loops are capped at 50 iterations |
| Default-dangerous | Unknown tools default to dangerous (safe default) |
Webhook Security
GitHub webhooks verify x-hub-signature-256 via HMAC when GITHUB_WEBHOOK_SECRET is configured. Generic webhook endpoints require authentication in production.
WebSocket Security
All WebSocket gateways (/voice, /mcp, /agent, /ide-server) authenticate via AuthService.authenticateSocket() on connection. Unauthenticated connections are rejected.
Enterprise Features
Enterprise plans include:
- SSO (SAML / OAuth)
- Audit logs for all security-relevant actions
- IP allowlisting
- Enforced 2FA for all team members
- Role-based access control
Reporting Vulnerabilities
If you discover a security vulnerability, please email security@codmir.com. We take all reports seriously and will respond within 48 hours.