If you discover a security vulnerability in ContextRelay, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Email: [email protected]

We will acknowledge your report within 48 hours and provide an estimated timeline for a fix.

ContextRelay is a local developer tool for one trusted user on one machine. It is not a hosted service, a multi-tenant system, or a hardened boundary between tools you do not trust.

The bridge involves:

• Loopback WebSockets between Claude Code, the ContextRelay daemon, and the Codex app-server proxy.
• MCP stdio communication between Claude Code and the bridge process.
• Local subprocesses for Codex, Claude Code, and optional read-only backup agents.
• Message forwarding between agents that may influence future tool calls.

The daemon binds to 127.0.0.1 only. It also uses local auth files in the ContextRelay state directory:

• token: control-plane WebSocket and management auth.
• proxy-token: Codex proxy auth.
• viewer-token: read-only browser viewer bootstrap auth.
• daemon-identity: daemon identity used with status.json and daemon.pid before sending signals.
• codex-tui.json and codex-app-server.json: managed-process metadata checked before sending signals to Codex processes.

Token and identity files are generated with random bytes and written with user-only permissions where the platform supports POSIX modes. Token comparison uses equal-length timing-safe comparison. Browser-origin WebSocket upgrades are rejected so normal web pages cannot attach to the bridge from a browser tab.

The control token, proxy token, and viewer token are deliberately separate. The Codex TUI receives only the proxy token, so its remote connection cannot authorize control-plane actions. The viewer bootstrap URL receives only the viewer token; opening it sets an HttpOnly same-site cookie and redirects away from the token-bearing URL before the viewer API is used.

Recursion depth is computed by the daemon from ledger handoff links. Agent-facing tools do not accept a trusted depth value from Claude or Codex.

Claude Code Channels are a Research Preview feature. When launching with ContextRelay, you are allowing the channel to inject messages into your Claude Code session. Only load channels and MCP servers you trust.

ContextRelay does not make agent output trustworthy. A malicious repository, prompt, or agent message may still try to manipulate another agent. Backup-agent prompts treat ledger content as an untrusted transcript, but this is defense in depth, not a complete prompt-injection solution.