From 78fedf36f2336d69ec399bec49449eea786925d5 Mon Sep 17 00:00:00 2001 From: jonmartin721 Date: Sun, 8 Mar 2026 19:53:53 -0500 Subject: [PATCH 1/2] Polish docs and project metadata --- .gitignore | 13 ++++++++++++- .husky/pre-commit | 0 .husky/pre-push | 0 PRIVACY.md | 28 ++++++++++++++------------- README.md | 48 ++++++++++++++++++++++------------------------- SECURITY.md | 17 ++++++++--------- manifest.json | 4 ++-- package.json | 2 +- scripts/build.js | 0 tests/README.md | 16 ++++++++++------ 10 files changed, 70 insertions(+), 58 deletions(-) mode change 100755 => 100644 .husky/pre-commit mode change 100755 => 100644 .husky/pre-push mode change 100755 => 100644 scripts/build.js diff --git a/.gitignore b/.gitignore index 54a564e..53bb88e 100644 --- a/.gitignore +++ b/.gitignore @@ -14,11 +14,22 @@ scripts/get-refresh-token.js scripts/package-extension.sh # Local dev notes -CLAUDE.md notes.md todo.txt ROADMAP.md +# AI assistant instruction files +AGENTS.md +CLAUDE.md +GEMINI.md +QWEN.md +AIDER.md +CURSOR.md +COPILOT.md +CODEIUM.md +WINDSURF.md +CONTINUE.md + # AI assistant directories .claude/ .cursor/ diff --git a/.husky/pre-commit b/.husky/pre-commit old mode 100755 new mode 100644 diff --git a/.husky/pre-push b/.husky/pre-push old mode 100755 new mode 100644 diff --git a/PRIVACY.md b/PRIVACY.md index b515d44..b879d80 100644 --- a/PRIVACY.md +++ b/PRIVACY.md @@ -1,10 +1,10 @@ # Privacy Policy for GitHub Devwatch -**Last Updated: November 17, 2025** +**Last Updated: March 8, 2026** ## Overview -GitHub Devwatch is a Chrome browser extension that helps you monitor activity on GitHub repositories. This privacy policy explains how the extension handles your data. +GitHub Devwatch is a Chrome extension for monitoring activity on GitHub repositories. This policy explains what the extension stores, when it makes network requests, and what is not collected. ## Data Collection and Usage @@ -13,9 +13,10 @@ GitHub Devwatch is a Chrome browser extension that helps you monitor activity on GitHub Devwatch collects and stores the following data **locally on your device only**: 1. **GitHub Personal Access Token** - - Encrypted with AES-GCM encryption and stored securely on your device + - Stored by the extension in Chrome storage + - Current builds encrypt the token before writing it to local storage and keep a decrypted session copy while the extension is running - Used only to authenticate with GitHub's API - - Never transmitted to any third-party servers + - Not sent to third-party services operated by this project - Never shared with anyone 2. **Repository Watch List** @@ -31,7 +32,7 @@ GitHub Devwatch collects and stores the following data **locally on your device 4. **Activity Data** - Recent activity from your watched repositories (up to 2000 items) - Cached locally for offline viewing - - Automatically cleaned up when storage limits are approached + - Trimmed automatically when the activity limit is reached or cleanup rules apply ### What We DON'T Collect @@ -52,9 +53,9 @@ All data collected is used exclusively to provide the extension's functionality: ## Data Storage -- All data is stored locally on your device using Chrome's storage APIs -- Chrome encrypts sensitive data (like your GitHub token) at rest +- The extension uses Chrome storage APIs for settings, cached activity, and token handling - Settings and repository lists can optionally sync across your Chrome browsers if you use Chrome Sync +- Token handling uses local and session storage rather than Chrome sync - You can clear all data at any time by uninstalling the extension or using Chrome's "Clear extension data" feature ## Third-Party Services @@ -107,13 +108,14 @@ You have complete control over your data: ## Security -We take security seriously: +Current builds include several concrete safeguards: - All API requests use HTTPS -- GitHub tokens are encrypted using AES-GCM encryption -- Input is sanitized to prevent XSS attacks -- Only GitHub URLs are allowed (no external redirects) -- Content Security Policy prevents malicious script injection +- The token is encrypted before it is persisted locally +- The codebase includes input sanitization and GitHub URL validation checks +- Extension pages use a Content Security Policy + +These measures reduce risk in normal use, but they should not be read as a formal security certification or third-party audit. ## Changes to This Policy @@ -130,7 +132,7 @@ This extension is not directed at children under 13. We do not knowingly collect If you have questions about this privacy policy or the extension: - Open an issue on GitHub: https://github.com/jonmartin721/devwatch-github/issues -- Developer: Jonathan Martinez +- Developer: Jonathan Martin ## Open Source diff --git a/README.md b/README.md index f11645b..b8daeb1 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # GitHub Devwatch for Chrome -Track GitHub activity across multiple repos. Get notifications for new PRs, issues, and releases without constantly refreshing. +Monitor pull requests, issues, and releases across multiple GitHub repositories from a Chrome extension. It keeps a local activity feed, badge counts, and optional browser notifications without adding another hosted service to the workflow. [![Chrome Web Store](https://img.shields.io/badge/Chrome-Web_Store-green?logo=google-chrome)](https://chromewebstore.google.com/detail/github-devwatch/dbgjgcaphfcfgppicmbiafcgcabikjch) [![License](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) @@ -9,13 +9,13 @@ Track GitHub activity across multiple repos. Get notifications for new PRs, issu ## Key Features -- **Guided Setup** - 2-minute wizard walks you through token creation and repo selection +- **Guided Setup** - Built-in setup flow for token creation and repository selection - **Browser Notifications** - Get notified about new PRs, issues, and releases - **Multi-Repo Monitoring** - Watch up to 50 repositories from one interface - **Configurable Updates** - Check every 5, 15, 30, or 60 minutes - **Activity Filtering** - Search and filter by repo and activity type - **Badge Counts** - Unread count on the extension icon -- **Secure & Private** - Your token stays local, zero third-party data sharing +- **Direct API Access** - Talks to GitHub directly, with optional npm registry lookups only when you use package-name import
GitHub Devwatch - Track your repositories @@ -52,13 +52,11 @@ cd devwatch-github ### First-Time Setup -An interactive wizard guides you through: +The built-in setup flow walks you through: 1. Create a GitHub token 2. Add repositories to watch 3. Choose activity types (PRs, Issues, Releases) -Takes about 2 minutes. No configuration knowledge needed. -
Interactive setup wizard welcome screen
@@ -95,23 +93,20 @@ Here's what using the extension looks like day-to-day: The extension keeps up to 2000 items in your local history, so you can always check something you saw earlier. Badge count updates automatically as you read items. -## Accessibility - -Full WCAG 2.1 Level A compliance with keyboard navigation, screen reader support, and ARIA landmarks. +## Accessibility Notes -**Keyboard Shortcuts**: R (refresh), S (search), A (archive), Escape (close), Arrow keys (navigate tabs) +The UI includes keyboard navigation, visible focus styles, semantic controls, and ARIA labeling in key flows. The test suite also includes automated axe-core checks and keyboard-focused UI tests. -Tested with NVDA/JAWS screen readers and axe-core. [Report accessibility issues](https://github.com/jonmartin721/devwatch-github/issues). +That said, this project has not gone through a formal accessibility audit or documented screen reader certification. If you run into an accessibility issue, please [open an issue](https://github.com/jonmartin721/devwatch-github/issues). -## Privacy & Security +## Privacy & Security Notes -Your GitHub token is encrypted and stays on your machine. The extension only communicates with GitHub's API - no analytics, no tracking, no third-party services. +The extension talks directly to GitHub's API and does not use a separate analytics or sync backend. It stores settings and cached activity in Chrome extension storage, and the current build encrypts the GitHub token before persisting it locally while keeping a decrypted session copy available at runtime. -- **Encrypted Storage** - Tokens use AES-GCM encryption in Chrome's secure storage -- **Local Only** - All data stays on your machine, never sent to third parties -- **GitHub API Only** - No external servers or analytics services -- **Minimal Permissions** - Token used exclusively for fetching repository activity -- **Open Source** - Review the entire codebase, raise issues, or submit fixes +- **Direct network access** - Requests go to `api.github.com`, plus `registry.npmjs.org` only when you use package-name lookup +- **Scoped browser permissions** - The manifest asks for `storage`, `alarms`, and `notifications` +- **Defensive client code** - The codebase includes URL validation, content security policy rules, and sanitization tests +- **No formal audit claim** - These measures improve the local handling of data, but they are not a substitute for securing the browser profile and GitHub account you use with the extension ## Data Storage @@ -164,9 +159,16 @@ The extension defaults to checking every 15 minutes. You can change this to 5, 3 ### Running Tests ```bash +npm run lint +npm run typecheck npm test +npm run build ``` +The automated checks cover shared logic, UI behavior, and a range of mocked extension flows. They do not replace manual testing in Chrome for permissions, service worker lifecycle behavior, or end-to-end interactions against live GitHub data. + +Jest enforces minimum global coverage thresholds of 47% lines, 46% branches, and 44% functions. That is a floor for the suite, not a claim of exhaustive coverage. + ### Local Development 1. Clone the repository 2. Run `npm install` for dependencies @@ -192,7 +194,7 @@ Contributions welcome! Submit issues or pull requests. See [CONTRIBUTING.md](CON ## Roadmap -This is a side project for me, so I work on it when time allows - but I'd love to see contributions! Here are some features I'm considering: +This is an actively maintained side project. Some features under consideration: - **Comment notifications** - Track new comments on issues and PRs - **Mention tracking** - Get notified when you're mentioned - **Multiple GitHub accounts** - Switch between different accounts @@ -216,11 +218,5 @@ Copyright (c) 2025 Jonathan Martin ---
- -[⭐ Star this repo](https://github.com/jonmartin721/devwatch-github) if you find it useful! - -

- -GitHub Devwatch - Track changes fast - + GitHub Devwatch logo
diff --git a/SECURITY.md b/SECURITY.md index 76ab824..044cb0e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -28,23 +28,22 @@ These are better suited for regular issues: - UI/UX problems - Performance issues -## Security Measures +## Current Security Posture -The extension implements several security practices: +The extension includes several concrete protections, but this project has not been through a formal external security audit. ### Token Storage -- GitHub tokens are encrypted using AES-GCM with 256-bit keys -- Stored in Chrome's secure storage API +- GitHub tokens are encrypted before they are written to local extension storage +- A decrypted copy may be cached in session storage while the extension is running - Never transmitted to third-party servers -- Session caching for performance without compromising security ### Content Security Policy -- Strict CSP prevents unauthorized script execution -- Only allows connections to GitHub API and npm registry +- Extension pages use a CSP that limits script sources and network destinations +- The current policy allows connections to the GitHub API and npm registry - No inline scripts or eval() ### Input Validation -- All user inputs are sanitized +- The codebase includes sanitization for rendered content - URLs are validated before opening - Repository names are validated against GitHub's format @@ -55,7 +54,7 @@ The extension implements several security practices: ## Supported Versions -Currently supporting version 1.0.0. Security updates will be released as patch versions (e.g., 1.0.1). +Security fixes are targeted at the current `1.0.x` release line. ## Disclosure Policy diff --git a/manifest.json b/manifest.json index f0f5cc0..3b9504f 100644 --- a/manifest.json +++ b/manifest.json @@ -2,8 +2,8 @@ "manifest_version": 3, "name": "GitHub Devwatch", "version": "1.0.2", - "description": "Monitor pull requests, issues, and releases across multiple GitHub repositories. Get notifications and never miss activity.", - "author": "Jonathan Martinez", + "description": "Monitor pull requests, issues, and releases across GitHub repositories with notifications and a local activity feed.", + "author": "Jonathan Martin", "permissions": [ "storage", "alarms", diff --git a/package.json b/package.json index 5207d48..7b959a3 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "github-devwatch-chrome", "version": "1.0.2", - "description": "Chrome extension for GitHub Devwatch", + "description": "Chrome extension for monitoring GitHub repository activity", "type": "module", "scripts": { "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js", diff --git a/scripts/build.js b/scripts/build.js old mode 100755 new mode 100644 diff --git a/tests/README.md b/tests/README.md index 9f691ca..ed4035f 100644 --- a/tests/README.md +++ b/tests/README.md @@ -1,6 +1,8 @@ # Test Suite -This directory contains the test suite for the GitHub DevWatch Chrome extension. +This directory contains the test suite for the GitHub Devwatch Chrome extension. + +Most tests here are unit-level or DOM-focused integration tests running under Jest with jsdom and mocked Chrome APIs. They are useful for regression coverage, but they do not replace manual testing in a loaded extension or a full browser-level end-to-end pass. ## Running Tests @@ -43,12 +45,14 @@ Tests are organized by feature and component: ### Utility Tests - `utils.test.js` - Utility functions -## Coverage Goals +## Coverage Thresholds + +Jest enforces the following global minimum coverage thresholds: +- **Lines**: 47% +- **Branches**: 46% +- **Functions**: 44% -The project maintains minimum coverage thresholds: -- **Lines**: 35% -- **Branches**: 34% -- **Functions**: 30% +Current thresholds are defined in `jest.config.js`. They are guardrails for CI, not a statement that every extension path is covered. Current coverage can be viewed by running `npm test -- --coverage`. From 59aebb43ab45a63c2bd185b7f9e40fbb4d922303 Mon Sep 17 00:00:00 2001 From: jonmartin721 Date: Sun, 8 Mar 2026 20:44:45 -0500 Subject: [PATCH 2/2] Restore executable scripts --- .gitignore | 10 +++++----- .husky/pre-commit | 0 .husky/pre-push | 0 scripts/build.js | 0 4 files changed, 5 insertions(+), 5 deletions(-) mode change 100644 => 100755 .husky/pre-commit mode change 100644 => 100755 .husky/pre-push mode change 100644 => 100755 scripts/build.js diff --git a/.gitignore b/.gitignore index 53bb88e..1b22c4f 100644 --- a/.gitignore +++ b/.gitignore @@ -19,16 +19,16 @@ todo.txt ROADMAP.md # AI assistant instruction files +AIDER.md AGENTS.md CLAUDE.md +CODEIUM.md +COPILOT.md +CONTINUE.md +CURSOR.md GEMINI.md QWEN.md -AIDER.md -CURSOR.md -COPILOT.md -CODEIUM.md WINDSURF.md -CONTINUE.md # AI assistant directories .claude/ diff --git a/.husky/pre-commit b/.husky/pre-commit old mode 100644 new mode 100755 diff --git a/.husky/pre-push b/.husky/pre-push old mode 100644 new mode 100755 diff --git a/scripts/build.js b/scripts/build.js old mode 100644 new mode 100755