Security Policy

🔒 How This Extension Handles Your Data

Your PAT is stored exclusively in chrome.storage.local — Chrome's encrypted, sandboxed local storage.
It is NEVER hardcoded in source code, logged to console, or transmitted to any server other than api.github.com.
The token is used only to authenticate GitHub REST API calls (creating repos, pushing files).
You can revoke your token at any time from GitHub Settings → Tokens.

The extension uses your existing browser session cookies to communicate with LeetCode's GraphQL API and GFG's internal APIs.
It does NOT store, export, or transmit your LeetCode/GFG credentials.
All API requests happen within the browser context using your active session.

Permission	Why It's Needed
`storage`	To save your GitHub token, sync history, and settings locally
`activeTab`	To inject content scripts on LeetCode/GFG problem pages
`alarms`	To schedule retry attempts for failed GitHub pushes
`host_permissions: leetcode.com`	To intercept submission responses and fetch problem data
`host_permissions: geeksforgeeks.org`	To intercept GFG submission responses and scrape problem data
`host_permissions: api.github.com`	To push solution files to your GitHub repository

If you discover a security vulnerability in this extension, please:

DO NOT open a public issue.
Email the maintainer directly or use GitHub Security Advisories.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
You will receive a response within 48 hours.

Use a scoped token: When creating your GitHub PAT, only grant the repo scope — nothing more.
Set an expiration: Use a token with a 90-day expiration and rotate it regularly.
Use a dedicated repo: Don't use a token with access to sensitive/work repositories.
Audit the code: This extension is fully open-source. Review the code before installing.