RepoFold
← Back to RepoFold

Security and privacy

RepoFold reads code to write documentation about it. That only works if you can verify how the code is handled, so this page states the mechanisms precisely. Every claim below describes how the system is built, not a policy aspiration.

Read-only GitHub accessGitHub App scopes: contents and metadata, read only. You pick the repositories; revoke on GitHub at any time.
Source is not retainedFiles are processed in encrypted temporary job storage and deleted when the indexing job finishes.
AES-256-GCM at restGitHub credentials and in-flight source files are encrypted with AES-256-GCM before they touch storage.
Keys stored as hashesAPI keys and public share tokens are stored as one-way SHA-256 hashes. A key is shown once and cannot be recovered.
Signed webhooksGitHub webhooks are verified with HMAC-SHA256 and constant-time comparison before a single byte is processed.
No third-party scriptsA strict Content-Security-Policy allows scripts from this origin only. No trackers, no analytics beacons, no CDNs.

How your source flows through the system

  1. You install the GitHub App on the repositories you choose. The installation grants read-only access to contents and metadata, nothing else.
  2. An indexing job downloads the repository at a pinned commit and writes files into temporary job storage, encrypted with AES-256-GCM.
  3. The pipeline extracts structure (symbols, imports, dependency graph) and sends selected excerpts to the AI subprocessor to generate cited documentation.
  4. When the job finishes, the temporary source is deleted. A 24-hour infrastructure lifecycle policy is the cleanup backstop in production.
  5. What remains: the generated wiki, file hashes, language and symbol metadata, and summaries, so unchanged files cost nothing to re-index. Raw source files are not retained in the application database.

The in-app code viewer and citation previews fetch pinned blobs live from GitHub at the moment you open them, using your own installation's access.

Credentials and tokens

  • GitHub tokens are encrypted with AES-256-GCM before being stored.
  • MCP API keys are stored as SHA-256 hashes with only the last four characters kept for display. The full key is shown exactly once at creation.
  • Public share links use one-way hashed tokens in storage and can be rotated or disabled by the repository owner at any time.
  • Incoming GitHub webhooks must carry a valid HMAC-SHA256 signature, checked with a constant-time comparison.

Transport and browser protections

All traffic is TLS with HSTS enabled. Responses carry a strict Content-Security-Policy (scripts and connections limited to this origin), X-Frame-Options DENY against clickjacking, nosniff content-type enforcement, and a no-referrer policy. You can verify every header yourself in your browser's developer tools or with any public header-scanning service; they are set on every response.

All costly endpoints are rate limited per user, and documentation generation runs under per-account token budgets and concurrency limits.

AI subprocessor

Selected source excerpts and derived repository context are sent to DeepSeek to generate and verify documentation. RepoFold does not claim that this processing is zero-knowledge or that its systems cannot access code while an indexing job is running. If that boundary does not fit your threat model, do not connect the repository.

Deletion

Deleting a repository removes its generated wiki, analysis metadata, history, shares and usage records in one cascade. Uninstalling the GitHub App revokes RepoFold's access entirely, on GitHub's side.