We support the latest released version on the main branch. Older versions receive fixes only for high-severity issues at maintainer discretion.

This repository covers client-side components only:

• any-code-cli/ — Node CLI running on user's machine
• any-code-android/ — Android app

The relay server is closed-source and hosted separately. For issues affecting the hosted relay service (authentication, WebSocket bridge, data storage), please report using the same channel below — we will route internally.

Out of scope: third-party services (Cloudflare, the user's Claude Code / Codex CLI install, Android OS bugs).

Do not open a public GitHub issue — and do not post in the Discord server — for security problems. Both channels are public and could tip off an attacker before a fix ships.

Instead, email the maintainer directly:

• Email: hc.gaoxiang@gmail.com
• Subject prefix: [security] <short summary>

Please include:

1. Component and version affected
2. Reproduction steps or proof-of-concept
3. Impact assessment (what can an attacker do?)
4. Any suggested mitigation

Reporters who follow coordinated disclosure will be credited in the release notes (opt-in). If you prefer to remain anonymous, please say so in your report.

Good-faith security research conducted within the following scope is welcome and will not result in legal action:

• Testing against your own local CLI / Android install
• Testing against a self-hosted relay you control
• Not accessing data belonging to other users
• Not performing denial-of-service, spam, or destructive actions against the hosted relay

Please do not test against the production hosted relay with techniques that may degrade service for other users.