ForkFirst

Open source and BYOK first

Your keys stay under your control.

ForkFirst is open source, BYOK, and session-only by default. We do not use accounts, do not store API keys server-side, and only forward keys to GitHub or your selected AI provider when you trigger a request.

No accounts

ForkFirst does not tie keys, searches, or handoffs to a hosted user account.

Session-only by default

Keys live in browser session storage unless the user opts into Remember keys.

No server-side key storage

API keys are not intentionally logged, written to SQLite, or persisted on the server.

Provider-bound requests

GitHub tokens go to GitHub. AI keys go to the selected AI provider, only for actions the user triggers.

Open source and verifiable

Users can inspect the code, run it locally, and confirm the request flow themselves.

Demo mode and optional keys

  • Demo mode works without keys, so users can try ForkFirst before pasting secrets.
  • A GitHub token is optional. Without one, ForkFirst shows curated starter repos. With one, it searches all of GitHub live for your exact idea.
  • An AI provider key is optional and improves summaries, verdicts, follow-up chat, and handoffs.
  • Keys are session-only by default; persistent local storage is opt-in.
  • Use dedicated, revocable keys with usage limits.
  • Hosted mode requires trusting the ForkFirst deployment while requests are in flight. For maximum control, clone and run ForkFirst locally.

Hosted website

On the public hosted site, keys you enter in the browser are sent to ForkFirst API routes only for actions you trigger, such as verification, repo research, chat, or live trending with a GitHub token. The route forwards the key to GitHub or your selected AI provider. Keys are not intentionally logged or stored server-side.

Default key storage is session-only. Remember keys is opt-in and stores keys in this browser's localStorage. Browser extensions, malware, someone with your unlocked device, or any future XSS bug could read browser storage, so use scoped, revocable keys with spend limits.

Saved chats, saved repos, saved Build Packs, prompt packs, and usage entries are stored in browser localStorage by default. ForkFirst does not attach that data to a hosted user account.

Rate limits and abuse controls

ForkFirst includes per-IP rate limits on key verification, repo research, chat, trending, and idea refinement. Local development uses in-memory limits. Hosted deployments should set `UPSTASH_REDIS_REST_URL` and `UPSTASH_REDIS_REST_TOKEN` so limits are durable across serverless instances and restarts.

Rate limits reduce casual abuse; they do not replace auth, bot protection, WAF rules, provider spend limits, or careful monitoring if you run a high-traffic public deployment.

Privacy-safe analytics

ForkFirst may use Vercel Web Analytics for basic production traffic numbers and Microsoft Clarity for masked heatmaps/session diagnostics. Analytics events describe product actions, such as starting a check or downloading a handoff, but should not include raw idea text, API keys, README text, or handoff contents.

Sensitive app surfaces such as chat transcripts, repo details, README excerpts, handoff files, and key settings are marked for Clarity masking. If you run your own deployment, keep Clarity masking strict and do not add analytics that captures user-entered prompts or secrets.

Downloaded repo / local run

If you clone the repo and run ForkFirst locally, the browser still sends keys to the Next.js API route, but that route is running on your own machine. Your keys are then forwarded directly from your machine to GitHub or your selected AI provider.

Works with your AI builder

ForkFirst exports Markdown handoffs instead of locking you into one coding tool. The same repo-first packet can guide the builders you already use.

Claude Code
Codex
Cursor
Replit
Lovable
v0
Gemini CLI
Markdown

What we do not claim

  • We do not say keys never leave your browser on hosted usage.
  • We do not say everything stays on device.
  • We do not say local AI stays local unless the user is actually using a trusted local provider.
  • We do not say any key-handling system is 100% safe.

Recommended key setup

  • Use a GitHub fine-grained token with the minimum public-repo access needed for search metadata.
  • Use provider keys with spending limits, short rotation windows, and revocation ready.
  • Do not use custom AI base URLs unless you trust the operator; that server receives your AI key.
  • Clear browser data after use on shared machines.

Dependency audit

`npm audit --omit=dev` is expected to pass before launch. ForkFirst tracks dependency security notes in `docs/security-advisories.md` and should avoid forced audit fixes that downgrade core framework packages without review.

Remaining risks

A hosted BYOK app can reduce risk, but it cannot eliminate it. Risks include malicious browser extensions, compromised devices, provider-side logging, network or device malware, XSS bugs, supply-chain bugs, phishing lookalikes, and users pasting overly powerful API keys. Treat this page as a living security contract.

Report a vulnerability

Please do not open a public issue with secrets or exploit details. Use a private GitHub Security Advisory so the maintainer can fix and disclose responsibly. If the project publishes a support email, use that for non-sensitive questions.