Weevarv1.0.2

Security & Privacy

What Weevar reads, what it sends, and where it ends.

Data handling#

  • Weevar runs entirely in your browser, against your local dev server.
  • It reads DOM and React Fiber metadata to build prompts, text content, class names, component names, tag names, source locations.
  • It does not require, and does not include, any backend service.
  • It does not make network requests at runtime. (No telemetry, no analytics, no opt-in or opt-out, there’s nothing to opt into.)
  • The clipboard write at copy time is the only side effect that leaves the page, and it's a standard browser clipboard API call triggered by a user gesture.

Production safety#

  • The package's exports field uses a development condition. In a production build (NODE_ENV=production), bundlers resolve weevar/react to a tiny stub that exports a component returning null.
  • The dev runtime tree-shakes away entirely, leaving no Weevar-specific code in your production bundle.

To verify, run a production build of your app and grep for wv-, __weevar, or any other Weevar prefix. You should find nothing in the output.

For belt-and-suspenders, gate the import yourself:

{process.env.NODE_ENV === "development" && <Weevar />}

Shadow DOM isolation#

Weevar's UI lives inside a closed shadow root attached to document.body. This means:

  • Your CSS doesn't leak in (so resets and global selectors don't break the tool dock).
  • Weevar's CSS doesn't leak out.
  • Host JavaScript can't introspect Weevar's internal state via element.shadowRoot (closed mode is true to its name).

Sensitive content in prompts#

Generated prompts include text snippets from the elements you select, that's how AI agents identify things. If your dev environment renders user data, secrets, or PII in the page, they will appear in copied prompts.

Recommended:

  • Use placeholder data in dev when feasible.
  • Review prompts in the Prompt tray before copying. Weevar doesn't auto-send anything; the copy step is always explicit.
  • If you're working in a regulated environment, treat copied prompts the same way you'd treat a screenshot of your dev environment.
  • Don't paste prompts containing customer data into hosted AI tools without an internal review.
  • Add a CI check that grep's your production bundle for Weevar symbols if you want a hard guarantee.
  • Log issues against environments where Weevar's no-op resolution doesn't seem to be working (we'd like to know).