If you discover a security vulnerability in Gitrama, please do not open a public GitHub issue.

Instead, report it privately:

• Email: security@gitrama.ai
• Response time: We will acknowledge your report within 48 hours and provide a detailed response within 5 business days.
• Disclosure: We follow responsible disclosure. We will coordinate with you on timing before any public disclosure.

Gitrama reads data from your local Git repository to provide AI-powered commit messages, branch names, PR descriptions, and repository intelligence. Specifically:

Your API key (if using BYOK) is stored in plaintext in ~/.gitrama/config.json. We recommend setting file permissions to 600:

chmod 600 ~/.gitrama/config.json

Gitrama Hosted (default provider):

• Git diffs, file names, and commit history are sent to vast-connector.gitrama.io for AI processing.
• Data is processed in-memory only and never stored beyond the request lifecycle.
• Data is never used for model training.
• Connections use TLS 1.2+ encryption in transit.

BYOK Providers (OpenAI, Anthropic, Ollama):

• Data is sent directly to your chosen provider's API.
• Gitrama does not intermediate or log these requests.
• Refer to your provider's data handling policies.

Ollama (local):

• All data stays on your machine. Nothing is sent to any external server.

• Gitrama tokens (gtr_*) are SHA-256 hashed before storage in our database. We never store plaintext tokens server-side.
• Tokens are validated against our provisioning server with 1-hour caching to minimize network calls.
• Token validation uses TLS encryption in transit.
• Tokens can be revoked server-side at any time.

The gitrama-mcp server runs locally via stdio transport:

• It executes gtr CLI commands on your behalf.
• It does not open network ports (stdio transport).
• It does not have access to anything beyond what the gtr CLI can access.
• Token validation occurs at the CLI layer for every AI command.

For enterprise deployments, Gitrama offers:

• On-premise deployment — full stack runs in your VPC
• SSO/SAML integration — Okta, Azure AD, Google Workspace
• Audit logging — immutable trail of all AI actions
• Zero data retention — diffs processed in-memory, never persisted
• Custom model hosting — bring your own LLM, no data leaves your network

Contact enterprise@gitrama.ai for details.

Gitrama's core dependencies and their security posture:

We pin dependency versions in requirements.txt and review updates regularly.

1. Use BYOK or Ollama for sensitive repos. If your code is highly confidential, use your own API key or run Ollama locally.
2. Set file permissions on ~/.gitrama/config.json to prevent other users from reading your token.
3. Rotate tokens if you suspect compromise. Run gtr setup to generate a new token.
4. Use .gitignore to ensure .gitrama/ directory contents are not committed (the CLI does this automatically).
5. Review diffs before committing. Gitrama generates commit messages from your staged changes — always review the generated message before confirming.