Polish docs and project metadata

.gitignore

@@ -14,11 +14,22 @@ scripts/get-refresh-token.js
 scripts/package-extension.sh
 
 # Local dev notes
-CLAUDE.md
 notes.md
 todo.txt
 ROADMAP.md
 
+# AI assistant instruction files
+AIDER.md
+AGENTS.md
+CLAUDE.md
+CODEIUM.md
+COPILOT.md
+CONTINUE.md
+CURSOR.md
+GEMINI.md
+QWEN.md
+WINDSURF.md
+
 # AI assistant directories
 .claude/
 .cursor/

PRIVACY.md

@@ -1,10 +1,10 @@
 # Privacy Policy for GitHub Devwatch
 
-**Last Updated: November 17, 2025**
+**Last Updated: March 8, 2026**
 
 ## Overview
 
-GitHub Devwatch is a Chrome browser extension that helps you monitor activity on GitHub repositories. This privacy policy explains how the extension handles your data.
+GitHub Devwatch is a Chrome extension for monitoring activity on GitHub repositories. This policy explains what the extension stores, when it makes network requests, and what is not collected.
 
 ## Data Collection and Usage
 
@@ -13,9 +13,10 @@ GitHub Devwatch is a Chrome browser extension that helps you monitor activity on
 GitHub Devwatch collects and stores the following data **locally on your device only**:
 
 1. **GitHub Personal Access Token**
-   - Encrypted with AES-GCM encryption and stored securely on your device
+   - Stored by the extension in Chrome storage
+   - Current builds encrypt the token before writing it to local storage and keep a decrypted session copy while the extension is running
    - Used only to authenticate with GitHub's API
-   - Never transmitted to any third-party servers
+   - Not sent to third-party services operated by this project
    - Never shared with anyone
 
 2. **Repository Watch List**
@@ -31,7 +32,7 @@ GitHub Devwatch collects and stores the following data **locally on your device
 4. **Activity Data**
    - Recent activity from your watched repositories (up to 2000 items)
    - Cached locally for offline viewing
-   - Automatically cleaned up when storage limits are approached
+   - Trimmed automatically when the activity limit is reached or cleanup rules apply
 
 ### What We DON'T Collect
 
@@ -52,9 +53,9 @@ All data collected is used exclusively to provide the extension's functionality:
 
 ## Data Storage
 
-- All data is stored locally on your device using Chrome's storage APIs
-- Chrome encrypts sensitive data (like your GitHub token) at rest
+- The extension uses Chrome storage APIs for settings, cached activity, and token handling
 - Settings and repository lists can optionally sync across your Chrome browsers if you use Chrome Sync
+- Token handling uses local and session storage rather than Chrome sync
 - You can clear all data at any time by uninstalling the extension or using Chrome's "Clear extension data" feature
 
 ## Third-Party Services
@@ -107,13 +108,14 @@ You have complete control over your data:
 
 ## Security
 
-We take security seriously:
+Current builds include several concrete safeguards:
 
 - All API requests use HTTPS
-- GitHub tokens are encrypted using AES-GCM encryption
-- Input is sanitized to prevent XSS attacks
-- Only GitHub URLs are allowed (no external redirects)
-- Content Security Policy prevents malicious script injection
+- The token is encrypted before it is persisted locally
+- The codebase includes input sanitization and GitHub URL validation checks
+- Extension pages use a Content Security Policy
+
+These measures reduce risk in normal use, but they should not be read as a formal security certification or third-party audit.
 
 ## Changes to This Policy
 
@@ -130,7 +132,7 @@ This extension is not directed at children under 13. We do not knowingly collect
 If you have questions about this privacy policy or the extension:
 
 - Open an issue on GitHub: https://github.com/jonmartin721/devwatch-github/issues
-- Developer: Jonathan Martinez
+- Developer: Jonathan Martin
 
 ## Open Source
 

README.md

@@ -1,6 +1,6 @@
 # GitHub Devwatch for Chrome
 
-Track GitHub activity across multiple repos. Get notifications for new PRs, issues, and releases without constantly refreshing.
+Monitor pull requests, issues, and releases across multiple GitHub repositories from a Chrome extension. It keeps a local activity feed, badge counts, and optional browser notifications without adding another hosted service to the workflow.
 
 [![Chrome Web Store](https://img.shields.io/badge/Chrome-Web_Store-green?logo=google-chrome)](https://chromewebstore.google.com/detail/github-devwatch/dbgjgcaphfcfgppicmbiafcgcabikjch)
 [![License](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
@@ -9,13 +9,13 @@ Track GitHub activity across multiple repos. Get notifications for new PRs, issu
 
 ## Key Features
 
-- **Guided Setup** - 2-minute wizard walks you through token creation and repo selection
+- **Guided Setup** - Built-in setup flow for token creation and repository selection
 - **Browser Notifications** - Get notified about new PRs, issues, and releases
 - **Multi-Repo Monitoring** - Watch up to 50 repositories from one interface
 - **Configurable Updates** - Check every 5, 15, 30, or 60 minutes
 - **Activity Filtering** - Search and filter by repo and activity type
 - **Badge Counts** - Unread count on the extension icon
-- **Secure & Private** - Your token stays local, zero third-party data sharing
+- **Direct API Access** - Talks to GitHub directly, with optional npm registry lookups only when you use package-name import
 
 <div align="center">
   <img src="screenshots/full-tagline.png" alt="GitHub Devwatch - Track your repositories" width="800">
@@ -52,13 +52,11 @@ cd devwatch-github
 
 ### First-Time Setup
 
-An interactive wizard guides you through:
+The built-in setup flow walks you through:
 1. Create a GitHub token
 2. Add repositories to watch
 3. Choose activity types (PRs, Issues, Releases)
 
-Takes about 2 minutes. No configuration knowledge needed.
-
 <div align="center">
   <img src="screenshots/onboarding-welcome.png" alt="Interactive setup wizard welcome screen" width="500">
 </div>
@@ -95,23 +93,20 @@ Here's what using the extension looks like day-to-day:
 
 The extension keeps up to 2000 items in your local history, so you can always check something you saw earlier. Badge count updates automatically as you read items.
 
-## Accessibility
-
-Full WCAG 2.1 Level A compliance with keyboard navigation, screen reader support, and ARIA landmarks.
+## Accessibility Notes
 
-**Keyboard Shortcuts**: R (refresh), S (search), A (archive), Escape (close), Arrow keys (navigate tabs)
+The UI includes keyboard navigation, visible focus styles, semantic controls, and ARIA labeling in key flows. The test suite also includes automated axe-core checks and keyboard-focused UI tests.
 
-Tested with NVDA/JAWS screen readers and axe-core. [Report accessibility issues](https://github.com/jonmartin721/devwatch-github/issues).
+That said, this project has not gone through a formal accessibility audit or documented screen reader certification. If you run into an accessibility issue, please [open an issue](https://github.com/jonmartin721/devwatch-github/issues).
 
-## Privacy & Security
+## Privacy & Security Notes
 
-Your GitHub token is encrypted and stays on your machine. The extension only communicates with GitHub's API - no analytics, no tracking, no third-party services.
+The extension talks directly to GitHub's API and does not use a separate analytics or sync backend. It stores settings and cached activity in Chrome extension storage, and the current build encrypts the GitHub token before persisting it locally while keeping a decrypted session copy available at runtime.
 
-- **Encrypted Storage** - Tokens use AES-GCM encryption in Chrome's secure storage
-- **Local Only** - All data stays on your machine, never sent to third parties
-- **GitHub API Only** - No external servers or analytics services
-- **Minimal Permissions** - Token used exclusively for fetching repository activity
-- **Open Source** - Review the entire codebase, raise issues, or submit fixes
+- **Direct network access** - Requests go to `api.github.com`, plus `registry.npmjs.org` only when you use package-name lookup
+- **Scoped browser permissions** - The manifest asks for `storage`, `alarms`, and `notifications`
+- **Defensive client code** - The codebase includes URL validation, content security policy rules, and sanitization tests
+- **No formal audit claim** - These measures improve the local handling of data, but they are not a substitute for securing the browser profile and GitHub account you use with the extension
 
 ## Data Storage
 
@@ -164,9 +159,16 @@ The extension defaults to checking every 15 minutes. You can change this to 5, 3
 
 ### Running Tests
 ```bash
+npm run lint
+npm run typecheck
 npm test
+npm run build
 ```
 
+The automated checks cover shared logic, UI behavior, and a range of mocked extension flows. They do not replace manual testing in Chrome for permissions, service worker lifecycle behavior, or end-to-end interactions against live GitHub data.
+
+Jest enforces minimum global coverage thresholds of 47% lines, 46% branches, and 44% functions. That is a floor for the suite, not a claim of exhaustive coverage.
+
 ### Local Development
 1. Clone the repository
 2. Run `npm install` for dependencies
@@ -192,7 +194,7 @@ Contributions welcome! Submit issues or pull requests. See [CONTRIBUTING.md](CON
 
 ## Roadmap
 
-This is a side project for me, so I work on it when time allows - but I'd love to see contributions! Here are some features I'm considering:
+This is an actively maintained side project. Some features under consideration:
 - **Comment notifications** - Track new comments on issues and PRs
 - **Mention tracking** - Get notified when you're mentioned
 - **Multiple GitHub accounts** - Switch between different accounts
@@ -216,11 +218,5 @@ Copyright (c) 2025 Jonathan Martin
 ---
 
 <div align="center">
-
-[⭐ Star this repo](https://github.com/jonmartin721/devwatch-github) if you find it useful!
-
-<br><br>
-
-<img src="screenshots/logo-tagline.png" alt="GitHub Devwatch - Track changes fast" width="300">
-
+  <img src="screenshots/logo-tagline.png" alt="GitHub Devwatch logo" width="300">
 </div>

SECURITY.md

@@ -28,23 +28,22 @@ These are better suited for regular issues:
 - UI/UX problems
 - Performance issues
 
-## Security Measures
+## Current Security Posture
 
-The extension implements several security practices:
+The extension includes several concrete protections, but this project has not been through a formal external security audit.
 
 ### Token Storage
-- GitHub tokens are encrypted using AES-GCM with 256-bit keys
-- Stored in Chrome's secure storage API
+- GitHub tokens are encrypted before they are written to local extension storage
+- A decrypted copy may be cached in session storage while the extension is running
 - Never transmitted to third-party servers
-- Session caching for performance without compromising security
 
 ### Content Security Policy
-- Strict CSP prevents unauthorized script execution
-- Only allows connections to GitHub API and npm registry
+- Extension pages use a CSP that limits script sources and network destinations
+- The current policy allows connections to the GitHub API and npm registry
 - No inline scripts or eval()
 
 ### Input Validation
-- All user inputs are sanitized
+- The codebase includes sanitization for rendered content
 - URLs are validated before opening
 - Repository names are validated against GitHub's format
 
@@ -55,7 +54,7 @@ The extension implements several security practices:
 
 ## Supported Versions
 
-Currently supporting version 1.0.0. Security updates will be released as patch versions (e.g., 1.0.1).
+Security fixes are targeted at the current `1.0.x` release line.
 
 ## Disclosure Policy
 

manifest.json

@@ -2,8 +2,8 @@
   "manifest_version": 3,
   "name": "GitHub Devwatch",
   "version": "1.0.2",
-  "description": "Monitor pull requests, issues, and releases across multiple GitHub repositories. Get notifications and never miss activity.",
-  "author": "Jonathan Martinez",
+  "description": "Monitor pull requests, issues, and releases across GitHub repositories with notifications and a local activity feed.",
+  "author": "Jonathan Martin",
   "permissions": [
     "storage",
     "alarms",

package.json

@@ -1,7 +1,7 @@
 {
   "name": "github-devwatch-chrome",
   "version": "1.0.2",
-  "description": "Chrome extension for GitHub Devwatch",
+  "description": "Chrome extension for monitoring GitHub repository activity",
   "type": "module",
   "scripts": {
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",

tests/README.md

@@ -1,6 +1,8 @@
 # Test Suite
 
-This directory contains the test suite for the GitHub DevWatch Chrome extension.
+This directory contains the test suite for the GitHub Devwatch Chrome extension.
+
+Most tests here are unit-level or DOM-focused integration tests running under Jest with jsdom and mocked Chrome APIs. They are useful for regression coverage, but they do not replace manual testing in a loaded extension or a full browser-level end-to-end pass.
 
 ## Running Tests
 
@@ -43,12 +45,14 @@ Tests are organized by feature and component:
 ### Utility Tests
 - `utils.test.js` - Utility functions
 
-## Coverage Goals
+## Coverage Thresholds
+
+Jest enforces the following global minimum coverage thresholds:
+- **Lines**: 47%
+- **Branches**: 46%
+- **Functions**: 44%
 
-The project maintains minimum coverage thresholds:
-- **Lines**: 35%
-- **Branches**: 34%
-- **Functions**: 30%
+Current thresholds are defined in `jest.config.js`. They are guardrails for CI, not a statement that every extension path is covered.
 
 Current coverage can be viewed by running `npm test -- --coverage`.