No AI keys in the extension
Claude, Kimi, OpenAI, or other model keys should live on a backend, not inside the Chrome extension. The extension should call a controlled endpoint for AI evaluation.
Security
The extension should stay boring, scoped, and inspectable.
Goalden touches sensitive habits and, later, sensitive work sources. The security model should keep permissions narrow, secrets out of the browser bundle, and user controls visible.
Narrow permissions
The MVP needs local storage, supported distraction sites, and browser UI permissions. Future integrations should request source-specific access instead of broad account access.
Security commitments
Local-first where possibleExtension settings, timer state, and basic progress logs should stay in Chrome storage unless a backend feature is explicitly enabled.
Revocable source accessDisconnecting Slack, Notion, Telegram, WhatsApp, email, or docs should stop future reads from that source.
Review before actionExtracted tasks should be visible before they become recurring blockers or high-friction prompts.
Clear failure behaviorIf AI evaluation fails, Goalden should show a plain error and avoid silently changing user data.