Repository encryption
Each repository has a randomly generated symmetric content key. Purpose-specific keys derived from that content key encrypt manifests, refs, Git pack chunks, pull request metadata, review state, comments, event payloads, and keyrings. Envelopes bind version, algorithm, key identifier, purpose, repo identifier, and object identifier as authenticated data.
Device keys and key epochs
Each device has a signing key and a key-agreement/unwrapping key. Repo content keys are wrapped to authorized device public keys. Keyring changes are signed protocol objects, and encrypted keyring snapshots record authorized devices, revoked devices, wrapped repo keys, the current key epoch, and keyring event heads.
Signed write model
Every mutating action emits a signed event: pushes, ref updates, pull request changes, comments, reviews, merge intents, keyring changes, runner registration, and job acceptance. Events include previous event identifiers so clients can detect truncation, replay, and equivocation.
Operational constraints
- Browser-delivered JavaScript is not the preferred root of trust.
- The credible first secure clients are signed native apps plus CLI.
- Bring-your-own CI runners decrypt only on customer-controlled infrastructure.
- Hosted CI requires a separate trust model and is deferred.