dkod

title: Privacy Model description: Git as source of truth. Indexer stores metadata only. Content fetched via your GitHub token.

Privacy Model

dkod's privacy model is load-bearing — it's the reason teams can adopt dkod without a security review that takes months.

Core principle

Transcripts never leave your git host.

Trust boundary

┌─────────────────────────────────────────────────┐
│            Your git host (GitHub)                 │
│                                                   │
│   repo-a/refs/dkod/sessions/*   (full content)   │
│   repo-b/refs/dkod/sessions/*   (full content)   │
│   repo-c/refs/dkod/sessions/*   (full content)   │
└──────────────────────┬──────────────────────────┘
                       │
         GitHub App (read-only, installation token)
                       │  used for indexing only
                       ▼
┌─────────────────────────────────────────────────┐
│            dkod Indexer                           │
│                                                   │
│   Persists:  metadata, prompt summary, embeddings │
│   Evicts:    full transcripts after embedding     │
└──────────────────────┬──────────────────────────┘
                       │
                       ▼
┌─────────────────────────────────────────────────┐
│          Team Dashboard (dkod.io)                 │
│                                                   │
│   On session open: fetches content live from      │
│   GitHub via the viewer's OAuth token             │
└─────────────────────────────────────────────────┘

Two tokens, two purposes

dkod uses two separate tokens with clear boundaries:

  • GitHub App installation token — used by the indexer to read refs/dkod/* from your repos at indexing time. Generates the metadata + embeddings that power search. Never used to serve content to a viewer.
  • User's GitHub OAuth token — used by the team dashboard at view time to fetch the full transcript and diff from GitHub. If the viewer can't see the repo through their own GitHub access, they can't see the session.

What the indexer stores

  • Session ID, repo, author, timestamp
  • File paths touched, commit SHAs
  • Prompt summary (first line / truncated)
  • Embeddings for search

What the indexer does NOT store

  • Full transcripts
  • Full diffs
  • Secret values (redacted at capture time)

Content access

When a user opens a session in the team dashboard, the dashboard fetches the full content from GitHub using the viewer's OAuth token. This means:

  • Access honors GitHub's permission model
  • If the user can't see the repo, they can't see the session
  • No cached content — always live from the source

If the indexer is lost

Customers lose nothing. Session data lives in git. Re-install the GitHub App, re-index, and everything is back.

Redaction

Secrets are stripped from transcripts at capture time, before the git blob is written. See Redaction for details.