Security
Report a vulnerability
Do not open a public issue for a suspected vulnerability.
Use GitHub’s private vulnerability reporting flow:
https://github.com/iannuttall/seo/security/advisories/new
Include the affected command, package, or workflow, clear reproduction steps, and the practical impact. Remove Google tokens, API keys, account identifiers, analytics data, private URLs, and client data from every example.
Use GitHub Issues for ordinary questions and non-sensitive bugs.
Local data and credentials
seo is local-first. Project profiles, Google OAuth metadata, crawl reports,
and caches stay on the machine running the command. Access and refresh tokens
use the operating-system keychain when enabled; fallback token files and local
credential files use private file permissions.
Desktop OAuth client credentials are not confidential secrets. User tokens, provider API keys, and analytics data are confidential and must never be committed, pasted into issues, or included in fixtures.
Use seo privacy to inspect local storage and seo reset --yes to remove it.
Google grants can also be revoked at
https://myaccount.google.com/connections.
Maintainer checks
Before a public release or a change to auth, storage, crawling, or provider boundaries, run:
pnpm build
pnpm typecheck
pnpm test
pnpm lint
pnpm security:check
pnpm pack --dry-run
The shared desktop OAuth client values are release build inputs. Store them as GitHub Actions secrets so they are injected only into the release build. Checked-in generated OAuth files must contain placeholders only.
pnpm security:check runs the dependency audit and gitleaks. On macOS the
helper installs gitleaks with Homebrew when it is missing. Other platforms must
install gitleaks first.