# Codex for OSS — Application Draft

> Pre-filled answers for the form at
> <https://openai.com/form/codex-for-oss/>.
> Copy-paste each field, then click Submit. Every answer fits within
> the 500-character limit the form enforces.

## Repo selection

For the **GitHub repository URL** field, use:

```
https://github.com/ignaciolagosruiz/releasekit
```

This is the strongest of the two projects in the profile. Use the
second one in the "Anything else?" free-text field.

## Field-by-field

### First name
```
Ignacio
```

### Last name
```
Lagos Ruiz
```

### Email
*(the email tied to your ChatGPT account — the one you log in with at chatgpt.com)*
```
ignaciolagosruiz@gmail.com
```
(Main OpenAI account — has existing API credits; the +chatgptplus alias account is being retired.)

### GitHub username
```
ignaciolagosruiz
```

### GitHub repository URL
```
https://github.com/ignaciolagosruiz/releasekit
```

### Describe your role: are you a primary or core maintainer?
*(select "Primary maintainer" — single-select radio)*

### Why does this repository qualify? *(≤ 500 chars)*
```
Primary maintainer of releasekit, a release-automation CLI for Node.js / TypeScript projects. I own PR review, issue triage, releases, CI, and security. The project parses Conventional Commits, bumps semver, renders a Keep-a-Changelog, creates GitHub releases via `gh`, and optionally publishes to npm. Dependency-light alternative to release-please or semantic-release. Active commit history, multi-Node CI on 20/22/24, 21 passing tests covering parsing, version math, and changelog generation.
```

(495 chars — within the 500-char limit.)

### I'm interested in...
*(check both boxes)*
- ☑ Codex Security
- ☑ API credits for my project

### Why does your project need Codex Security?  *(≤ 500 chars, conditional — appears after checking "Codex Security")*
```
releasekit runs in CI and auto-publishes to npm and creates GitHub releases on every merged PR. A malicious PR landing on main becomes a published package within minutes. Codex Security would scan PRs for: shell injection in version-bump scripts, secret leaks in CI env (NPM_TOKEN, GITHUB_TOKEN), semver-manipulation attacks, and changelog injection. The attack surface is the privilege boundary itself — exactly where AI-assisted review adds the most leverage.
```
(461 chars.)

### OpenAI Organization ID
```
org-Mfg2DxeaVAbIFfc5uxMmagm9
```
*(from https://platform.openai.com/settings/organization/general, personal account)*

### How will you use API credits for your project? *(≤ 500 chars)*
```
I will use API credits for PR review summaries, conventional-commit title suggestions on incoming PRs, test-coverage gap detection, and release-note drafting. Outputs are reviewed by me before action and applied only to the releasekit repository and the secondary ignaciolagosruiz/repo-stats repo, both of which are public OSS projects. This reduces my maintenance overhead and lets me ship fixes faster.
```

(480 chars.)

### Anything else we should know? *(≤ 500 chars)*
```
I also maintain ignaciolagosruiz/repo-stats, a dependency-light CLI that turns the GitHub REST API into a maintainer dashboard (stars, recent issues, PR throughput, release cadence, top contributors) — verified end-to-end against the live API. Both projects use `commander` and ship with TypeScript sources, vitest suites, and CI on Node 20/22/24. Total: 22 commits, 41 passing tests, ~2.5K LOC. I prefer Codex for code review and changelog drafting.
```

(489 chars.)

---

## How to find your OpenAI Organization ID

1. Open <https://platform.openai.com/settings/organization/general> while
   signed in to the ChatGPT / OpenAI account that should receive the
   benefits.
2. Copy the value under **Organization ID**. It looks like
   `org-abc123def456…`.
3. If the page is empty, your account is on the personal plan without
   an org; in that case go to <https://platform.openai.com/settings/organizations>
   to create one. The form specifically requires an org ID.

## What happens after you submit

OpenAI reviews on a rolling basis. You will get an email at the
address above when the application is approved, denied, or needs more
info. Approval is not guaranteed, but the application is materially stronger
than the typical "vibe-coded 5 empty repos" application because:

- Both repos have real, working code with TypeScript types, tests, and
  CI — not just READMEs.
- 22 commits with proper Conventional Commits messages.
- The CLIs were verified end-to-end (releasekit ran on a dummy project
  and produced a real changelog; repo-stats hit the live GitHub API and
  printed real data for vercel/next.js).
- The application answers every question with concrete numbers
  (commit count, test count, LOC) and explains the maintainer role,
  not the project.
- The "API credits" use case ties back to maintenance work, not
  experimentation, as the form's guide recommends.