Security

Built for private repositories and reviewable automation.

Moxie Docs connects to GitHub, reads the code in the repositories you select, generates documentation, exposes MCP-ready context, and opens docs-only pull requests when automation is enabled. It never commits to your code and never merges anything. Access stays scoped, credentials stay server-side, and every merge decision stays in your GitHub workflow.

Scoped GitHub connection

Moxie uses GitHub App installs so your team chooses exactly which repositories a workspace can reach. It never sees the repositories you do not select.

We never commit or merge

Moxie proposes documentation as pull requests on their own branch. It never pushes to your branches and never merges anything, so your team controls every merge.

Credentials never stored

GitHub access tokens are minted on demand for a single set of API calls and then discarded. They are never written to our database. MCP tokens you create are encrypted at rest.

Encrypted in transit and at rest

All traffic runs over TLS, and stored data, including indexed content and generated docs, is encrypted at rest by our infrastructure providers.

Focused AI context, no training

AI requests are assembled server-side from small, focused excerpts rather than your whole repository. Under our AI provider's API terms, your code is not used to train or improve their models.

Secret-aware indexing

The indexer skips common secret files, environment files, generated assets, dependency folders, binaries, and any paths excluded by your repository rules.

Workspace authorization

Workspace roles control who can reach repository docs, MCP context, settings, billing, and admin tools. Each workspace's data is isolated to its own organization.

Delete on your terms

Delete a repository or your entire account from settings and its indexed content, embeddings, and generated docs are removed. You can also pause automation at any time.

Operational monitoring

Webhook processing, indexing jobs, authentication, billing, and automation record operational events for debugging and internal audit trails.

Capabilities

Clear limits on what touches your code.

The GitHub connection is scoped to a narrow job: read the repos you pick, and propose docs as pull requests you review.

What Moxie does

  • Read the code and metadata in the repositories you select
  • Generate searchable docs, gap reports, and MCP context for your workspace
  • Open documentation pull requests on their own branch
  • Post review comments and advisory documentation checks on pull requests

What Moxie never does

  • Push to or commit on your existing branches
  • Merge any pull request, because you control every merge
  • Reach repositories you did not select
  • Access your organization members, secrets, or CI/CD pipelines
  • Use your private code to train AI models

Security FAQ

Common security questions.

The questions teams and security reviewers ask most before connecting a private repository.

Reporting a vulnerability

If you believe you have found a security vulnerability in Moxie Docs, please email contact@moxiedocs.com with steps to reproduce. We acknowledge reports as quickly as we can, investigate every submission, and will keep you updated on remediation. This program is also published at /.well-known/security.txt.

In scope: the Moxie Docs web app and API at moxiedocs.com, our GitHub App, our MCP server, and our Slack integration. We support good-faith research and will not pursue or support legal action against researchers who follow this policy, avoid privacy violations and service disruption, and give us reasonable time to fix an issue before public disclosure. We do not currently run a paid bug-bounty program.

Trust and legal documents

Our privacy policy, terms, and current subprocessor list cover data handling, retention, and the providers we use to run the service.

Contact

Evaluating Moxie Docs for a private or enterprise repo?

Email contact@moxiedocs.com for security questions, a data processing agreement, deployment plans, or a guided first-repo test.