Security at PostIdea
Every claim on this page is specific enough to be checked. The last section lists what we deliberately don't claim yet.
Last updated: July 11, 2026
1. The VS Code extension: your source code never leaves your machine
The PostIdea extension detects drift from your locked architecture decisions as you write code. All of that detection runs locally, inside your editor. The extension's only network traffic is fetching your locked decisions from PostIdea and, if you choose, locking or unlocking a decision. It never transmits your source code, file contents, or diffs — there is no code path in the extension that does.1, 2
1. The extension's server address is configurable. If you point it at a server you don't control, your sign-in credentials and decision reads go there — the code-stays-local property still holds, but verify your configuration.
2. This claim is about the extension. The web verification pipeline (below) is different: there, you explicitly upload a diff and file listing for analysis.
2. Web verification: we don't store your code
When you submit code for verification on the web, we do not store your source code. Verification runs entirely in memory: your file listing, file contents, and diff are analyzed, a report is produced, and the code is discarded. What we keep is the report — verdicts, coverage scores, and SHA-256 fingerprints of the inputs and outputs — never the code itself.
The optional AI audit (off by default) sends your code diff — never full file contents — to our AI provider for one-time advisory review. The prompt is not stored; only its fingerprint is. Our AI provider is contractually prohibited from training on it (details in the Privacy Policy). The short-lived retry cache holds a copy of the report with all AI-generated advisory text stripped out, so no text derived from your code sits in any cache — deterministic verdicts, scores, and hashes only, for at most one hour.
3. Platform security
- Sessions: sign-in tokens live in HttpOnly __Host- cookies — JavaScript can't read them, they're only sent over HTTPS, and they can't be scoped onto other domains.
- CSRF protection on every state-changing request.
- Brute-force lockouts: failed sign-ins trigger per-account and per-IP lockouts, applied atomically so they can't be raced.
- Prompt-injection screening at every AI boundary: submitted diffs are normalized (including zero-width and homoglyph tricks) and screened before any AI audit; suspected injection skips the audit and is flagged on the report. Screening is best-effort by nature — which is exactly why AI review is advisory-only and never gates a verdict.
- SSRF-hardened GitHub fetching: repository lookups validate owner, repo, and branch against strict patterns and only ever talk to api.github.com, with per-user request budgets.
- Strict Content Security Policy: the app loads no third-party scripts at all. No analytics, no trackers.
- Transport: TLS 1.2/1.3 only, HTTP redirected to HTTPS, HSTS with preload.
- Blast-radius limits: rate limits per endpoint class, request size caps, internal-only metrics and admin surfaces.
- Account deletion fails closed: deletion is immediate and cascading, and if we can't revoke the account's sessions at the same time, we refuse to proceed rather than leave a half-deleted account.
4. What we don't claim yet
Security pages tend to be written by marketing. This one is written by the person who wrote the code, so here is the honest list of things we are not done with. When an item ships, it moves up into section 3 — not before.
- Session lifetime: sign-in sessions currently last up to 30 days. We plan to shorten this with refresh tokens. Until then, we don't call our sessions short-lived.
- Token revocation: revocation exists (sign-out, account deletion), but if the revocation store is briefly unreachable, checks other than account deletion degrade open to keep the service up. Account deletion is the exception — it fails closed today.
- Backups: we do not yet run encrypted off-site backups. The honest flip side: deletion really is deletion — there is no backup copy of your deleted data. When backups ship, this page and the Privacy Policy will say so, including how long deleted data can persist in them.
5. Reporting a vulnerability
Report security issues to security@postidea.app. We respond within 72 hours. We will not pursue legal action against good-faith security research that respects user data and gives us reasonable time to fix issues before disclosure. Machine-readable details: /.well-known/security.txt.