Documentation Index
Fetch the complete documentation index at: https://docs.driftless.icu/llms.txt
Use this file to discover all available pages before exploring further.
Encryption
All secrets stored in Driftless are encrypted with AES-256-GCM before they reach the database. This includes:- API keys
- Webhook secrets
- GitHub App credentials
- Model provider keys (BYOM)
API keys
API keys are the primary authentication mechanism for the CLI and CI.- Keys are generated with a
drift_prefix for easy identification - The raw key is shown only once at creation time
- Keys are stored as salted hashes; the raw value cannot be recovered
- Keys can be revoked at any time from the dashboard
- Multiple keys per workspace are supported
Data handling
| Data | Storage | Encryption |
|---|---|---|
| Topic content | Postgres | At rest (Supabase) |
| API keys | Postgres (hashed) | Hashed + encrypted |
| GitHub tokens | Postgres | AES-256-GCM |
| Scan results | Postgres | At rest (Supabase) |
| Source code | Never stored | N/A |
GitHub App permissions
The GitHub App requests the minimum permissions required:| Permission | Why |
|---|---|
| Contents (read) | Fetch list of changed files per commit |
| Pull requests (read & write) | Post and update context comments |
| Issues (read & write) | PR comments use the Issues API |
| Metadata (read) | Required by GitHub for all apps |
Network
- All traffic between CLI, dashboard, and API is HTTPS
- API keys are sent in
x-api-keyheaders, never in URL parameters - Webhook payloads are verified with HMAC signatures
- The API runs on Render with encrypted environment variables