Cody CLI Security

How Cody CLI protects your code, credentials, and data at every layer.

Data Handling

Cody CLI reads local file contents only when you explicitly request code analysis or completions.
Code snippets sent to the API are used solely for generating responses — never for model training.
Sensitive files (.env, credentials, private keys) are excluded from context by default.
All data processing happens in-session. No code is persisted on AINative servers beyond the request lifecycle.

ℹ️No Training on Your Code

Code submitted via Cody CLI is never used to train AI models. Your code remains private and is only used to generate the specific response you requested.

API Key Security

API keys are stored locally in ~/.cody/config.json with restricted file permissions (600).
Use environment variables (AINATIVE_API_KEY) instead of hardcoding keys in config files.
Keys support scoped permissions — create read-only keys for CI environments.
Rotate keys anytime from the dashboard at /dashboard/api-keys. Revoked keys are invalidated immediately.

# Set API key via environment variable (recommended)
export AINATIVE_API_KEY="your-api-key"

# Or configure locally
cody config set api_key "your-api-key"

⚠️Never Commit API Keys

Add .cody/config.json to your .gitignore. Use environment variables in CI/CD pipelines.

Permissions & Access Control

Cody CLI requires no root or admin privileges to operate.
Filesystem access is scoped to the current project directory and explicitly configured paths.
Network access is limited to api.ainative.studio and telemetry.ainative.studio.
No background processes or daemons — Cody CLI runs only when you invoke it.

Transport Security

All API communication uses TLS 1.3 with certificate verification.
No plaintext transmission of code, credentials, or user data.
WebSocket connections (for streaming) use WSS with the same TLS guarantees.

Telemetry & Opt-Out

Anonymous usage telemetry includes: command frequency, response latency, and error rates. No personally identifiable information (PII) is collected.

# Disable telemetry
cody config set telemetry.enabled false

# Or via environment variable
export CODY_TELEMETRY_DISABLED=true

Vulnerability Reporting

Report security vulnerabilities to security@ainative.studio
We follow responsible disclosure practices with a 90-day timeline
Critical vulnerabilities receive patches within 48 hours of confirmation

Data Handling​

API Key Security​

Permissions & Access Control​

Transport Security​

Telemetry & Opt-Out​

Vulnerability Reporting​

Related​