If you discover a security vulnerability, please open a GitHub Issue with the label security.

DevPulse is a frontend-only application. Understanding its security properties is important:

• We do NOT have a backend server
• We do NOT store data in any database
• We do NOT send your GitHub token to any server
• We do NOT use tracking or analytics of any kind

1. Your GitHub Personal Access Token (PAT) is stored only in your browser's localStorage
2. All GitHub API calls are made directly from your browser to GitHub's servers
3. No token or personal data ever leaves your machine

• Your token is stored locally in localStorage and never transmitted anywhere
• We only use read-only GitHub API endpoints (GET requests)
• The minimum required scopes for public activity are: read:user
• For private repository stats, additional repo scope is needed (optional)

• Set an expiration date on your GitHub token (90 days or less)
• Regularly rotate your token
• Only grant the minimum scopes required for your needs
• Revoke tokens you no longer use via GitHub Settings

This security policy applies only to the DevPulse application itself. GitHub API usage is governed by GitHub's Terms of Service.