MolForge is a client-side only application. It runs entirely in your browser. Your compound data never leaves your machine unless you explicitly export it.

• Local only. All compound data is stored in two places: the HTML file itself (when you click 💾 Save) and your browser's IndexedDB cache. Nothing is sent to any server.
• No telemetry. MolForge does not track usage or report analytics.
• No accounts. There is no login, no session, no cloud sync.

The app makes network requests only at startup, to CDN-hosted JavaScript libraries:

• React, React-DOM (unpkg.com)
• Babel standalone (unpkg.com)
• RDKit.js WASM (unpkg.com)
• OpenChemLib (unpkg.com)
• TensorFlow.js (jsdelivr / unpkg)
• SheetJS (xlsx) (jsdelivr / unpkg)
• jsPDF (jsdelivr / unpkg)

For a fully offline copy, use Import / Export → Share / Save → Create Portable Version, which downloads every dependency and inlines them into a single self-contained HTML file.

If you discover a security issue (e.g., a prompt injection vector, XSS in the structure editor, or any data-leakage path), please open a private security advisory via GitHub's "Security" tab rather than a public issue.

• The <script id="molforge-data"> tag contains only the 25 whitelisted public drug compounds (EGFR, BCR-ABL, VEGFR, JAK, BTK, CDK/ALK, COX-1 inhibitor series) — not your private dataset
• No screenshots under docs/screenshots/ contain confidential SMILES or assay values
• No exported CSV/XLSX/JSON/SDF files are staged for commit
• No .env or credentials files are present
• The CI job verify-no-compound-data passes locally (it also runs automatically on every push/PR)

To reset the demo data back to the whitelisted 10 compounds after testing with your own data, check out molforge_database.html from the last clean commit:

git checkout origin/main -- molforge_database.html