# security

Is git-to-x safe? Security & your GitHub data.

Connecting a repo to a third-party service is a legitimate concern. Here is exactly what we access, how it works, and the enforced guarantees — not promises.

Read-only. GitHub enforces it.

The GitHub App requests exactly two permissions:

contents: read     # commit history only
metadata: read     # repo name, visibility

GitHub's permission system makes these scopes hard-limited. We could not push, merge, create, or delete anything in your repo even if we wanted to. GitHub itself enforces that — it is not a configuration on our end that we could change at will.

You see these exact scopes on the GitHub App install screen. You can revoke access in one click at any time from github.com/settings/installations. No email, no support ticket required.

Your code never touches our servers.

We use GitHub's GraphQL API to fetch only commit stats and metadata: additions, deletions, the commit message, the SHA, timestamp, and a changed-file count. No file contents, no diffs — ever.

# What we query via GitHub GraphQL:
additions    # lines added (a number)
deletions    # lines removed (a number)
message      # your commit message

# What we never request:
blob         # file contents
patch        # diff text
tree         # directory listing

The diff bytes — your actual code — are never transferred to our servers, never stored, and never logged. We ask GitHub for numbers; it returns numbers.

This is enforced in code. The guard test that asserts no blob or patch fields are selected lives in the open-source repo:

packages/clients/src/github.test.ts →

One repo. Your choice.

When you install the GitHub App, GitHub offers two options: grant access to all repositories or to only select repositories. Choose only select repositories and pick the single repo you want to post from. git-to-x works with one repo per account by design — V1 is intentionally single-repo, so there is nothing else to expose.

You can change which repo is connected, or remove access entirely, at any time without contacting us.

Your tokens are encrypted.

Your X OAuth tokens (access + refresh) are encrypted at rest using libsodium sealed boxes before being written to the database. The encryption key lives in the deployment environment and never touches the database itself.

CLI and MCP editor tokens are stored as SHA-256 hashes. The plaintext token is shown to you exactly once at generation time and is never stored or retrievable.

Open source. Audit it yourself.

The full codebase is published under AGPL-3.0. You can read every line, fork it, and self-host it.

github.com/ManojSurya/git-2-x →

The GitHub App manifest, the GraphQL query, the token encryption helpers, and the full posting pipeline are all in there. Nothing is hidden behind a closed SDK.