We release security updates for the following versions of tmpo:

We recommend always using the latest stable release to ensure you have the most recent security patches.

tmpo is a local-first CLI tool that stores time tracking data on your machine. Here are some security aspects to be aware of:

• All time entries are stored in a SQLite database at $HOME/.tmpo/tmpo.db
• The database is only accessible to your user account (standard file permissions apply)
• No data is transmitted over the network

• .tmporc files may contain project-specific configuration including hourly rates
• These files are stored in plain text and inherit directory permissions
• Be cautious when committing .tmporc files to version control if they contain sensitive rate information

• tmpo uses Git commands for automatic project detection
• Only basic Git metadata (repository name) is accessed
• No Git credentials or remote repository data is used

If you discover a security vulnerability in tmpo, please report it responsibly:

Report via GitHub Security Advisories

• Description of the vulnerability
• Steps to reproduce the issue
• Affected versions (if known)
• Potential impact
• Any suggested fixes (optional)

• We will acknowledge your report within 48 hours
• We will provide an initial assessment within 5 business days
• We will work to release a fix as quickly as possible depending on severity

Please do not publicly disclose the vulnerability until we have had a chance to address it and release a fix. We will credit security researchers who report valid vulnerabilities (unless you prefer to remain anonymous).

When using tmpo, we recommend:

• Keep your tmpo binary updated to the latest version
• Be mindful of what information you include in time entry descriptions
• Review .tmporc files before committing them to public repositories
• Use appropriate file permissions for your ~/.tmpo/ directory
• Regularly backup your time tracking data if it's business-critical