Security

Zero-Storage Architecture

DevBar never stores your platform data on our servers. The data flow is simple: your connected platforms send data via their APIs to the DevBar app running on your Mac, and it is rendered on your screen. Nothing is persisted server-side. When you close DevBar, the data is gone.

Credential Security

All API tokens and credentials are stored exclusively in the macOS Keychain, encrypted by the Secure Enclave. They never leave your device and are never transmitted to DevBar servers. Each token is scoped to the minimum permissions required by the integration.

Authentication

• SAML 2.0 SSO — Enterprise customers can enforce single sign-on through their identity provider.
• SCIM provisioning — Automated user provisioning and de-provisioning via your IdP.
• Passkey — Passwordless sign-in using device-bound credentials (WebAuthn). Supported on macOS, iOS, and any FIDO2 platform authenticator.
• Touch ID — Biometric unlock for quick, secure access to DevBar.
• Auto-lock — DevBar locks automatically when your Mac sleeps or the screen locks.

Audit & Compliance

Partitioned audit logging tracks all administrative actions with configurable retention periods. Audit logs can be archived to R2, S3, B2, or GCS for long-term storage and compliance requirements.

Infrastructure

• HTTPS/TLS — All traffic is encrypted in transit with TLS 1.2+.
• Security headers — HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options are enforced on all responses.
• Rate limiting — API endpoints are rate-limited to prevent abuse.

CI/CD Supply Chain

• API type parity— A CI job regenerates TypeScript types from the backend's OpenAPI spec on every push and fails if they diverge, ensuring the frontend client can never silently drift from the backend contract.
• Dependency pinning — npm and Go module dependencies are locked via lockfiles and verified against a private LAN registry in CI; no outbound package fetches in the build pipeline.

Compliance Roadmap

• SOC 2 Type II — In progress.
• GDPR — Compliant. See our Privacy Policy and DPA.

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly. Do not open a public issue or disclose the vulnerability publicly until a fix has been released.

1. Email [email protected] with a description, steps to reproduce, and a proof-of-concept.
2. We will acknowledge your report within 5 business days.
3. We investigate the issue and keep you informed of our progress.
4. Once a fix is released, we coordinate public disclosure with you.

You can also reach us directly at [email protected].

Known Upstream Vulnerabilities

These vulnerabilities are tracked and accepted. Neither is exploitable in the production runtime — both are confined to the build/codegen pipeline.