A Chrome extension that shows DevTrace contributor trust scores inline on GitHub. It adds a small DevTrace badge next to GitHub usernames; click it to see a trust score, grade, and risk summary — the same signals the DevTrace GitHub Action posts on pull requests.
- Injects a DevTrace gauge badge next to contributor links on
github.com. - Click the badge to open a score card: letter grade, score (0.00–1.00), and risk summary.
- "Full review →" links to
https://devtrace.thingz.io/score/<username>for the complete breakdown. - Works anonymously out of the box. Add an optional API token for deeper scoring (profile, signals, AI sensing, repo context).
Listing link TBD.
npm ci
npm run build # outputs a loadable extension to dist/Then in Chrome: open chrome://extensions, enable Developer mode, click Load unpacked, and select the dist/ folder.
Without a token you get the basic score. For deeper scoring, create an API token (dt_ prefix) at devtrace.thingz.io/settings, then open the extension's options page and paste it in.
- The token is stored locally in your browser via
chrome.storage.sync; it is never sent anywhere except DevTrace. - Only the username you click (and the current
owner/repofor context) is sent tohttps://devtrace.thingz.io. No browsing history or page content is collected. - The extension requests only the
storagepermission and host access tohttps://devtrace.thingz.io/*. - Score data is fetched by the background service worker and rendered inside an isolated Shadow DOM using
textContent(neverinnerHTMLfor dynamic values), so API responses cannot inject markup into GitHub pages.
See PRIVACY.md for the full privacy policy.
content script (github.com) ──click──▶ background service worker ──HTTPS──▶ devtrace.thingz.io
scans usernames, holds optional token, /api/v1/score/{user}
injects badge, 5-min cache,
renders Shadow-DOM card ◀──result── bypasses CORS via host_permissions
npm test # jest + jsdom unit tests
npm run lint # tsc --noEmit
npm run build # bundle to dist/ via esbuild
npm run icons # regenerate PNG icons from the gauge mark (requires sharp)The build is reproducible: npm ci && npm run build from a clean checkout produces the published dist/. Icons are committed under public/icons/ and generated deterministically from public/icons/devtrace.svg by scripts/gen-icons.mjs.
Tagging a release (vX.Y.Z) builds and attaches devtrace-extension.zip to a GitHub Release for Web Store upload.
- Build
dist/and zip it (or download thedevtrace-extension.zipRelease artifact). - Create a Chrome Web Store developer account (one-time $5 fee).
- Upload the zip and complete the listing: description, screenshots, and privacy practices — declare the
storagepermission and host access tohttps://devtrace.thingz.io. - Justify permissions:
storage(token persistence) and the single host permission (score API). - Submit for review and link this public repository.
MIT — see LICENSE.