A free, open source, privacy-focused, self-hosted programming time tracker. Record how much time you spend programming, on which projects, with which languages and editors.
The backend is written in Rust using the Axum framework, with PostgreSQL as the database, Redis for real-time data and cache, and a vanilla JavaScript frontend with native ES modules.
IDE extensions (VS Code, Neovim, etc.) send heartbeats via POST to /api/v1/heartbeat with data such as project, file, language, and editor. The backend stores them and adds statistics in real time.
Users see their activity on a live dashboard connected via WebSocket. There are weekly global leaderboards stored in Redis, and a JavaScript Plugin system that allows the community to add panels to the dashboard without recompiling anything, or share their plugins for free in the Plugin Store, running in a QuickJS sandbox on the server or directly in the browser.
It also has customizable CSS themes, authentication via GitHub/GitLab/Anonymous accounts, data export, and support for Stripe, for the Pro Cloud plan.
 VS Code |
 Cursor |
 Windsurf |
 VSCodium |
|---|---|---|---|
 CodeSandbox |
 Eclipse |
 Neovim |
 StackBlitz |
All product names, logos, and brands are property of their respective owners.
CodeTrackr is designed from the ground up to grow with the people who use it. We don't want CodeTrackr — or its code — to be limited by us. The community shapes what CodeTrackr becomes.
You don't need to fork this repo or contribute code directly to make CodeTrackr yours. You can:
- Build an IDE extension for any editor you use — if it can make an HTTP request, it can send heartbeats. See the IDE Integration docs →
- Create a dashboard plugin — add any panel, chart, or widget to the CodeTrackr UI using plain JavaScript, no build step required. Share it in the Plugin Store for free. See the Plugin docs →
- Publish a theme — customize every color and share your look with the community. See the Themes docs →
CodeTrackr is not a product you use. It's infrastructure you own and extend.
The full official documentation covers everything: IDE extension APIs, plugin development, lifecycle hooks, the theme system, and the full REST API reference.
CodeTrackr is an open platform — and that comes with responsibility. This section documents known security considerations and the current state of mitigations.
Dashboard plugins run as plain JavaScript inside a new Function() call in the user's browser. The script receives a container DOM element and a token scoped to the authenticated user. While plugins cannot access application-level variables, they do run in the same browser context with full access to standard Web APIs.
Current priority: eval and dynamic code execution in IDE extensions
The risk we are most focused on right now is the possibility of someone publishing an IDE extension — or a dashboard plugin — that uses eval(), Function(), or similar dynamic execution patterns to run arbitrary or obfuscated code. This is a known attack vector that could be used to exfiltrate API keys or tokens from users who install a malicious extension.
We are actively working to address this. Possible mitigations under consideration include:
- Statically analyzing plugin scripts server-side before they are accepted into the Plugin Store
- Blocking or flagging submissions that contain
eval,Function(,setTimeout(string,setInterval(string, or dynamicimport() - Restricting certain JavaScript syntax patterns at publish time to reduce the attack surface for core security
This is an evolving area. If you discover a security vulnerability, please report it privately before disclosing it publicly.
Server-side lifecycle plugins run inside an isolated QuickJS sandbox with no network, filesystem, or OS access. Memory is capped at 16 MB and execution times out at 15 seconds. SQL access is restricted to a whitelist of tables and allowed commands only. These constraints significantly limit the blast radius of a malicious lifecycle plugin.
If you find a security issue in CodeTrackr, please open a private issue or contact the maintainer directly before making it public. We take security reports seriously and will respond promptly.
This project was developed with assistance from Claude. The code was reviewed and adapted by me.
