SECURITY

ARCHITECTURE // DATA_HANDLING // DISCLOSURE

PAT_LIFECYCLE

YOUR BROWSER→HTTPS/TLS→UCP SERVER→GITHUB API→DISCARD PAT

Your PAT travels over TLS to our server, is used once to authenticate a single GitHub GraphQL request, and is never written to disk, database, logs, or memory beyond the duration of that request. The GitHub API response (contribution counts) is stored. The token is not.

WHAT_IS_STORED

FIELD	TYPE	NOTE
github_login	string	Your GitHub username
avatar_url	string	Your GitHub avatar URL
contribution_date	date	YYYY-MM-DD format, no timezone
contribution_count	integer	Aggregate daily count across all repos
account_label	string \| null	Optional label you set, e.g. "work"

NEVER_STORED

✕Personal Access Token (PAT)

✕Repository names

✕Commit messages or SHAs

✕File paths or contents

✕Branch names

✕Pull request or issue data

✕Email addresses

✕IP addresses

TRANSPORT_SECURITY

—
All traffic is served over HTTPS with TLS 1.2+.
—
The API enforces CORS to only accept requests from the UCP web origin.
—
GitHub API requests use Bearer token auth over HTTPS.
—
The application is hosted on Vercel and uses Supabase (managed Postgres) — both enforce encryption at rest.

RESPONSIBLE_DISCLOSURE

If you discover a security vulnerability, please report it privately before public disclosure. We take all reports seriously and will respond promptly.

SECURITY_CONTACT: pallavkumarjha26@gmail.com

Please include a description of the vulnerability, steps to reproduce, and potential impact. We aim to acknowledge reports within 48 hours.