Threat model
Terminal output, secrets, sockets, clipboard, paths, and network connections are treated as sensitive.
Cocxy Terminal
Security
Local secrets, signed updates, encrypted stores, hardened runtime, and explicit network actions.
Cryptography
AES-GCM protects Vault records, EdDSA signs Sparkle updates, HMAC-SHA256 protects relay auth, and Keychain stores secrets.
Code signing and notarization
Public releases use Developer ID Application signing, hardened runtime, secure timestamp, and Apple notarization.
Dependency hygiene
Swift and Apple frameworks are the default, Sparkle is audited, Zig dependencies are pinned, and npm is limited to web tooling.
SBOM
The public SBOM is linked with release artifacts when the release flow produces it.
Disclosure
Report vulnerabilities through GitHub Security Advisory or dev@cocxy.dev.
Download
Install Cocxy on macOS
The site keeps version placeholders so the release workflow can rewrite them when publishing.
DMG
Direct download from GitHub Releases.
Download v1.18.0Homebrew
Reproducible install from the official tap.
brew tap salp2403/tap && brew install --cask cocxyChannels
Stable, preview, and nightly are documented with clear risk levels.
View channels