Summary
Require trusted metadata or explicit developer-mode handling for non-default remote DMG sources.
Source
Migrated from docs/maintainers/security-backlog.md.
Maintained Docs
- Security backlog index and review workflow:
docs/maintainers/security-backlog.md
- Threat model:
docs/maintainers/threat-model.md
- Package and runtime maintenance:
docs/maintainers/package-runtime-maintenance.md
Context
Runtime config can redirect dmg_url for development and testing. URL parsing rejects userinfo and non-HTTPS non-loopback URLs, but non-default remote sources are still supply-chain inputs.
Review Gate
Run the @codex-security workflow before treating implementation as review-ready.
Desired State
- Non-default remote
dmg_url values require the same trusted metadata or explicit developer-mode handling as the default update channel.
- Logs identify non-default update hosts without persisting secrets.
Summary
Require trusted metadata or explicit developer-mode handling for non-default remote DMG sources.
Source
Migrated from
docs/maintainers/security-backlog.md.Maintained Docs
docs/maintainers/security-backlog.mddocs/maintainers/threat-model.mddocs/maintainers/package-runtime-maintenance.mdContext
Runtime config can redirect
dmg_urlfor development and testing. URL parsing rejects userinfo and non-HTTPS non-loopback URLs, but non-default remote sources are still supply-chain inputs.Review Gate
Run the
@codex-securityworkflow before treating implementation as review-ready.Desired State
dmg_urlvalues require the same trusted metadata or explicit developer-mode handling as the default update channel.