Security notes
This page is written to be defensible: it describes what the product does today, not aspirational guarantees. No system is foolproof—please read the recommendations if you are a solo builder experimenting with real repos.
Vibe Coding Profiler connects to GitHub, fetches commit history, computes metrics, and stores the results in Supabase Postgres. Access to rows is scoped to your authenticated account via Supabase Row Level Security (RLS) policies for user-facing reads.
The worker that performs analysis uses a server-side Supabase key (service role) and is able to write job outputs. This is powerful by design; it is kept server-side and is not intended to be exposed to browsers.
Today, the analysis pipeline persists both raw-ish inputs and derived outputs so we can reproduce charts and narratives for a completed job.
Note: when fetching commit details from GitHub, the API response can include file paths and diff snippets. Vibe Coding Profiler’s current worker extracts and stores counts/stats (like number of files and additions/deletions), not file contents.
GitHub OAuth tokens are encrypted before being stored in the database using application-layer encryption (AES-256-GCM). Decryption happens server-side when the backend needs to call GitHub on your behalf.
If you are self-hosting, treat the encryption key and Supabase service role key like production secrets. If those secrets are compromised, an attacker could potentially decrypt tokens or bypass row-level restrictions.
Vibe Coding Profiler is designed for personal insight. Keep the blast radius small.
If your repository contains sensitive information (secrets, customer details, private code under agreement), do not connect it.