feat: by default disable remember and enhance security

Author: starit

.github/pages-index.html

@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Themed.js – Demos</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: system-ui, -apple-system, sans-serif;
+      background: #0f172a;
+      color: #e2e8f0;
+      min-height: 100vh;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+      padding: 2rem;
+    }
+    h1 { font-size: 2rem; margin-bottom: 0.5rem; color: #f8fafc; }
+    p { color: #94a3b8; margin-bottom: 2rem; }
+    .links {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 1rem;
+      justify-content: center;
+    }
+    a {
+      display: inline-block;
+      padding: 0.75rem 1.5rem;
+      background: #334155;
+      color: #f8fafc;
+      text-decoration: none;
+      border-radius: 0.5rem;
+      font-weight: 500;
+      transition: background 0.2s;
+    }
+    a:hover { background: #475569; }
+  </style>
+</head>
+<body>
+  <h1>Themed.js</h1>
+  <p>Theme management with AI-powered generation. Pick a demo:</p>
+  <div class="links">
+    <a href="react/">React</a>
+    <a href="vue/">Vue</a>
+    <a href="vanilla/">Vanilla</a>
+  </div>
+</body>
+</html>

.github/workflows/deploy-pages.yml

@@ -0,0 +1,84 @@
+# Deploy Themed.js demos (React, Vue, Vanilla) to GitHub Pages
+# Site: https://<user>.github.io/themed.js/
+
+name: Deploy to GitHub Pages
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: 'pages'
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build core
+        run: pnpm --filter @themed.js/core run build
+
+      - name: Build React example
+        run: pnpm --filter themed-react-example run build
+        env:
+          VITE_BASE: /${{ github.event.repository.name }}/react/
+
+      - name: Build Vue example
+        run: pnpm --filter themed-vue-example run build
+        env:
+          VITE_BASE: /${{ github.event.repository.name }}/vue/
+
+      - name: Build Vanilla example
+        run: pnpm --filter themed-vanilla-example run build
+        env:
+          VITE_BASE: /${{ github.event.repository.name }}/vanilla/
+
+      - name: Prepare deploy directory
+        run: |
+          mkdir -p deploy/react deploy/vue deploy/vanilla
+          cp -r examples/react/dist/* deploy/react/
+          cp -r examples/vue/dist/* deploy/vue/
+          cp -r examples/vanilla/dist/* deploy/vanilla/
+          cp .github/pages-index.html deploy/index.html
+
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v4
+        with:
+          path: deploy
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

README.md

@@ -266,6 +266,24 @@ interface ThemeTokens {
 }
 ```
 
+## Deploying to GitHub Pages
+
+The repo includes a workflow that builds the React, Vue, and Vanilla examples and deploys them to GitHub Pages.
+
+1. **Enable GitHub Pages**  
+   In the repo: **Settings → Pages → Build and deployment**:  
+   - Source: **GitHub Actions**.
+
+2. **Push to `main`**  
+   The workflow runs on every push to `main` (or trigger it manually via **Actions → Deploy to GitHub Pages → Run workflow**).
+
+3. **Open the site**  
+   After deployment, the site is at:  
+   **https://\<your-username\>.github.io/themed.js/**  
+   - Landing: links to [React](https://starit.github.io/themed.js/react/), [Vue](https://starit.github.io/themed.js/vue/), [Vanilla](https://starit.github.io/themed.js/vanilla/) demos.
+
+API keys are not embedded; users enter their own key in each demo’s UI (safe for public hosting).
+
 ## Development
 
 ```bash

examples/react/src/App.tsx

@@ -28,7 +28,7 @@ function AIConfigPanel() {
   const { configureAI, isConfigured, modelInfo } = useAITheme();
   const [apiKey, setApiKey] = useState('');
   const [provider, setProvider] = useState<typeof PROVIDERS[number]['value']>('openai');
-  const [remember, setRemember] = useState(true);
+  const [remember, setRemember] = useState(false);
   const [expanded, setExpanded] = useState(!isConfigured);
 
   // Load saved config on mount
@@ -40,6 +40,7 @@ function AIConfigPanel() {
         if (key) {
           setApiKey(key);
           setProvider(p || 'openai');
+          setRemember(true);
           configureAI({
             provider: p || 'openai',
             apiKey: key,
@@ -70,6 +71,7 @@ function AIConfigPanel() {
     } else {
       localStorage.removeItem(AI_CONFIG_STORAGE_KEY);
     }
+    setApiKey('');
     setExpanded(false);
   };
 
@@ -90,7 +92,10 @@ function AIConfigPanel() {
       {expanded && (
         <div className="ai-config-form">
           <p className="ai-config-hint">
-            Enter your API key to enable AI theme generation. It stays in your browser only.
+            Your API key is stored only on your device and is never sent to our servers or collected. It is used only to call the AI provider you choose.
+          </p>
+          <p className="ai-config-security">
+            We never collect or log your key. For stronger security, uncheck Remember so the key is not saved to disk (session only).
           </p>
           <div className="ai-config-row">
             <select
@@ -105,9 +110,11 @@ function AIConfigPanel() {
               ))}
             </select>
             <input
-              type="password"
-              className="ai-config-input"
+              type="text"
+              autoComplete="off"
+              className="ai-config-input ai-config-key-input"
               placeholder="API Key"
+              spellCheck={false}
               value={apiKey}
               onChange={(e) => setApiKey(e.target.value)}
               onKeyDown={(e) => e.key === 'Enter' && handleSave()}
@@ -197,8 +204,8 @@ function AIGenerator() {
     try {
       await generate(prompt);
       setPrompt('');
-    } catch (e) {
-      console.error('Failed to generate:', e);
+    } catch {
+      // Error shown via useAITheme().error; do not log to avoid leaking any sensitive data
     }
   };
 

examples/react/src/styles.css

@@ -97,6 +97,16 @@ p {
   margin: 0.75rem 0 0.5rem;
 }
 
+.ai-config-security {
+  font-size: var(--themed-font-size-xs);
+  color: var(--themed-color-text-secondary);
+  margin: 0 0 0.75rem;
+  padding: 0.5rem 0.75rem;
+  background: var(--themed-color-background);
+  border-radius: 0.375rem;
+  border: 1px solid var(--themed-color-border);
+}
+
 .ai-config-row {
   display: flex;
   gap: 0.5rem;
@@ -130,6 +140,11 @@ p {
   border-color: var(--themed-color-primary);
 }
 
+/* Mask API key so browser does not offer to save as password; type="text" + this avoids password-manager prompts */
+.ai-config-key-input {
+  -webkit-text-security: disc;
+}
+
 .ai-config-actions {
   display: flex;
   flex-wrap: wrap;

examples/react/vite.config.ts

@@ -2,6 +2,7 @@ import { defineConfig } from 'vite';
 import react from '@vitejs/plugin-react';
 
 export default defineConfig({
+  base: process.env.VITE_BASE ?? '/',
   plugins: [react()],
   server: {
     port: 3001,

examples/vanilla/index.html

@@ -104,6 +104,16 @@
       margin: 0.75rem 0 0.5rem;
     }
 
+    .ai-config-security {
+      font-size: var(--themed-font-size-xs);
+      color: var(--themed-color-text-secondary);
+      margin: 0 0 0.75rem;
+      padding: 0.5rem 0.75rem;
+      background: var(--themed-color-background);
+      border-radius: 0.375rem;
+      border: 1px solid var(--themed-color-border);
+    }
+
     .ai-config-row {
       display: flex;
       gap: 0.5rem;
@@ -137,6 +147,11 @@
       border-color: var(--themed-color-primary);
     }
 
+    /* Mask API key so browser does not offer to save as password; type="text" + this avoids password-manager prompts */
+    .ai-config-key-input {
+      -webkit-text-security: disc;
+    }
+
     .ai-config-actions {
       display: flex;
       flex-wrap: wrap;
@@ -361,7 +376,10 @@ <h1>Themed.js Demo</h1>
       </button>
       <div class="ai-config-form" id="ai-config-form" style="display: none">
         <p class="ai-config-hint">
-          Enter your API key to enable AI theme generation. It stays in your browser only.
+          Your API key is stored only on your device and is never sent to our servers or collected. It is used only to call the AI provider you choose.
+        </p>
+        <p class="ai-config-security">
+          We never collect or log your key. For stronger security, uncheck Remember so the key is not saved to disk (session only).
         </p>
         <div class="ai-config-row">
           <select id="ai-config-provider" class="ai-config-select">
@@ -373,15 +391,17 @@ <h1>Themed.js Demo</h1>
             <option value="deepseek">DeepSeek</option>
           </select>
           <input
-            type="password"
+            type="text"
             id="ai-config-key"
-            class="ai-config-input"
+            class="ai-config-input ai-config-key-input"
             placeholder="API Key"
+            autocomplete="off"
+            spellcheck="false"
           />
         </div>
         <div class="ai-config-actions">
           <label class="ai-config-remember">
-            <input type="checkbox" id="ai-config-remember" checked />
+            <input type="checkbox" id="ai-config-remember" />
             Remember (localStorage)
           </label>
           <div class="ai-config-buttons">

examples/vanilla/vite.config.ts

@@ -1,6 +1,7 @@
 import { defineConfig } from 'vite';
 
 export default defineConfig({
+  base: process.env.VITE_BASE ?? '/',
   server: {
     port: 3000,
   },

examples/vue/src/App.vue

@@ -18,7 +18,7 @@ const { generate, isGenerating, error, isConfigured, modelInfo, configureAI } =
 
 const apiKey = ref('');
 const provider = ref<(typeof PROVIDERS)[number]['value']>('openai');
-const remember = ref(true);
+const remember = ref(false);
 const configExpanded = ref(true);
 
 onMounted(() => {
@@ -29,6 +29,7 @@ onMounted(() => {
       if (key) {
         apiKey.value = key;
         provider.value = p || 'openai';
+        remember.value = true;
         const prov = PROVIDERS.find((x) => x.value === (p || 'openai'));
         configureAI({
           provider: p || 'openai',
@@ -67,6 +68,7 @@ const handleSaveConfig = () => {
   } else {
     localStorage.removeItem(AI_CONFIG_STORAGE_KEY);
   }
+  apiKey.value = '';
   configExpanded.value = false;
 };
 
@@ -96,8 +98,8 @@ const handleGenerate = async () => {
   try {
     await generate(prompt.value);
     prompt.value = '';
-  } catch (e) {
-    console.error('Failed to generate:', e);
+  } catch {
+    // Error shown via useAITheme().error; do not log to avoid leaking any sensitive data
   }
 };
 
@@ -162,7 +164,10 @@ const downloadThemeColors = () => {
       </button>
       <div v-show="configExpanded" class="ai-config-form">
         <p class="ai-config-hint">
-          Enter your API key to enable AI theme generation. It stays in your browser only.
+          Your API key is stored only on your device and is never sent to our servers or collected. It is used only to call the AI provider you choose.
+        </p>
+        <p class="ai-config-security">
+          We never collect or log your key. For stronger security, uncheck Remember so the key is not saved to disk (session only).
         </p>
         <div class="ai-config-row">
           <select v-model="provider" class="ai-config-select">
@@ -176,8 +181,10 @@ const downloadThemeColors = () => {
           </select>
           <input
             v-model="apiKey"
-            type="password"
-            class="ai-config-input"
+            type="text"
+            autocomplete="off"
+            spellcheck="false"
+            class="ai-config-input ai-config-key-input"
             placeholder="API Key"
             @keydown.enter="handleSaveConfig"
           />