> For the complete documentation index, see [llms.txt](https://pharaoh.so/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pharaoh.so/docs/concepts/security.md). # Security Pharaoh is hosted infrastructure — no packages on developer machines, no transitive dependencies to audit, no supply chain attack surface. If Pharaoh gets a vulnerability, we remediate server-side. You do nothing. ## No source code stored The knowledge graph contains function names, file paths, dependency edges, complexity scores, export signatures, and function body hashes. Source code is read during parsing, used to generate the graph in memory, then discarded. The graph is a table of contents, not the book. ## Read-only GitHub access Pharaoh cannot write to your repository, push commits, or modify code. The GitHub App requests repository contents (read) and metadata (read). No write access. Ever. ## Per-tenant isolation Dual-layer defense protects tenant data: 1. **Cypher repo-anchoring:** Every Neo4j query starts from a repo node owned by the requesting tenant. Queries cannot traverse to repos belonging to other tenants. CI enforces this — every new query is automatically tested for isolation violations. 2. **Application-level ownership checks:** Before every tool call, Pharaoh validates that the requested repo belongs to the tenant's Postgres `tenant_repos` records. This check runs independently of the graph query. Both layers must fail for cross-tenant data access. All tenants share one database — isolation is enforced entirely at the application layer, verified by CI on every push. ## Encrypted at rest GitHub tokens and sensitive graph properties (function signatures, JSDoc, API routes) are encrypted with AES-256-GCM using HKDF per-tenant derived keys. Each token uses a unique random initialization vector. Compromising one tenant's key does not expose others. ## GitHub-based access control Remove someone from your GitHub org and their Pharaoh access revokes within minutes. No API tokens to rotate, no credentials on developer machines. Org membership is re-verified on every token refresh. Session cache TTL is 5 minutes. Tenant suspension is immediate — all cached sessions are evicted instantly. ## Open source parser The parser that reads your code is [fully auditable](https://github.com/Pharaoh-so/pharaoh-parser). You can verify exactly what structural metadata gets extracted before installing the GitHub App. ## Account deletion Uninstall the GitHub App or delete your account: knowledge graph deleted, encrypted tokens destroyed, audit logs retained 90 days then purged. No lock-in. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pharaoh.so/docs/concepts/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.