This repository follows a local-first, zero-secrets model.

• No API keys are required to run core features.
• No backend credentials are required.
• No server storage is required for transcript capture/export.

Changes that violate this baseline are considered a security and scope concern and may be rejected.

Security fixes are provided for the latest code on the default branch.

Please do not open public issues for security vulnerabilities.

Use one of these channels:

1. GitHub private vulnerability reporting (preferred), if enabled.
2. Email: opensource@aiemedded.tech

Include:

• A clear description of the issue.
• Steps to reproduce.
• Affected files/features.
• Proof-of-concept or screenshots if available.
• Impact assessment (what an attacker can do).

• Initial acknowledgement: within 3 business days.
• Triage update: within 7 business days.
• Fix timeline: based on severity and complexity.

This repository should not contain secrets. If a secret is discovered:

1. Revoke/rotate it immediately.
2. Remove it from repository history.
3. Re-scan repository history.
4. Document remediation in the related private security report.

Recommended operational workflow:

• Run a full-history scan before public release and before major releases.
• Run PR secret scanning in CI as a merge gate.
• Keep local pre-commit scanning optional but encouraged for maintainers.

This extension handles transcript data in browser local storage and can paste user-selected transcript text into third-party AI websites.

When reporting security issues, include whether the issue involves:

• Transcript confidentiality.
• Unauthorized data access in extension storage.
• Permission scope escalation.
• Cross-site script behavior in content scripts.
• Unsafe clipboard or download behavior.