Security & Trust

Pharaoh cannot push commits, modify files, create branches, or open pull requests. The GitHub App requests two permissions: repository contents (read) and metadata (read). Webhook events on the default branch trigger re-mapping. No write access exists. Verify your permissions on GitHub →

Your GitHub org membership is your Pharaoh access. Remove someone from your org, their access revokes within minutes. Org membership is re-verified on every token refresh. No API tokens to rotate, no credentials on developer machines, no .env files to manage.

Function names, file paths, import/export relationships, call chains, complexity scores, module boundaries. Structural metadata - how your code is organized, not what it does.

Sensitive properties - function signatures, documentation strings, and API route patterns - are encrypted with per-tenant keys (AES-256-GCM, HKDF key derivation). Opaque ciphertext in the database, readable only through the owning tenant's derived key.

Source code is read during parsing, used to build the graph in memory, then discarded. The graph is a table of contents, not the book.

• Source code or file contents
• Variable values, string literals, or implementation logic
• Secrets, environment variable values, or credentials
• Git history or commit messages
• Pull request content or issue content

Two independent layers. First: every graph query starts from your repositories - structurally impossible to traverse into another tenant's data (Cypher repo-anchoring). Second: before any query runs, Pharaoh verifies your repository ownership against a separate database (Postgres ownership check). Both layers must fail simultaneously for cross-tenant access. CI enforces this - every new query is automatically tested for isolation violations.

GitHub tokens: Encrypted at rest with AES-256-GCM and per-tenant derived keys (HKDF). Unique random initialization vector per token. Compromising one tenant does not expose others.

Graph properties: Function signatures, documentation strings, and API route patterns - encrypted per-tenant (AES-256-GCM). Opaque ciphertext in the database, readable only through the owning tenant's key.

In transit: TLS on all connections. The server refuses to start without an encryption key configured.

Each tenant has independent rate limits (100 requests per minute, sliding window). One tenant's usage cannot affect another.

Render (application hosting), Neo4j Aura (graph database), PostgreSQL on Render (operational data), Stripe (billing - card numbers never touch our servers), GitHub (authentication and repository access). All providers enforce encryption at rest and in transit.

Uninstall the GitHub App or delete your account - knowledge graph gone, tenant data gone, encrypted tokens destroyed. Audit logs retained 90 days, then purged. No lock-in. Reconnecting re-maps from scratch.

Exposed: Function names, file paths, module boundaries, dependency relationships, complexity scores. Structural metadata - how code is organized, not what it does.

Protected: Source code (never stored). GitHub tokens (encrypted per-tenant - one compromised tenant does not expose others). Function signatures, documentation strings, and API routes (encrypted with per-tenant derived keys). Cross-tenant data (query-level isolation prevents lateral movement).

Your action required: None. Pharaoh remediates server-side. No packages to update, no credentials to rotate, no patches to apply.