Frequently asked questions.
Answers to the questions teams ask before adopting Repotrix — from privacy and pricing to the MCP server. Click any question to expand its answer.
Privacy & Security
Code is the most sensitive thing a company owns. Here's exactly how we treat yours.
No. Your code is used at query time only — embedded into a private Pinecone namespace scoped to your repository and used to retrieve context for your own questions. We never send it to model-training pipelines, and Google's Gemini API does not train on prompts sent through the standard developer API (this is part of Google's terms of service for the API tier we use). PII and secrets are scrubbed before any data leaves your worker boundary.
Every file is scanned for hardcoded API keys, tokens, JWTs, AWS credentials, email addresses, and other sensitive patterns BEFORE chunking or embedding. Matches are replaced with [REDACTED] placeholders before the content is embedded. A SHA-256 hash of each match is stored as proof-of-scrub, and credentials and secrets (API keys, tokens, private keys, SSNs, cards) are masked to a non-recoverable suffix before storage — a working secret is never persisted. Lower-risk PII such as emails and IPs is kept verbatim only to populate the compliance audit view. Your VCS tokens and webhook secrets are encrypted at rest with Fernet (AES-128-CBC + HMAC), with the key held in environment variables, never in the database.
Deleting a repository immediately cascades through every related table — documentation, diagrams, chat history, drift events, compliance audits, code graph, job statuses — all removed in a single transaction. The Pinecone namespace for that repo is purged in the same step. The deletion is enforced at the Postgres foreign-key level (ON DELETE CASCADE), so orphan rows are impossible even if a route handler bypasses our application layer.
Not in the public product today. The codebase is structured cleanly enough that a self-hosted deployment is feasible — three containers (FastAPI backend, ARQ worker, Next.js frontend) plus three managed dependencies (Postgres, Redis, a vector store of your choice). Reach out at contact@repotrix.ai if you need this; we'll discuss what an enterprise self-hosted offering would look like.
Not yet. Repotrix is a young product and we don't have SOC 2 attestation. What we DO have: encryption at rest for all secrets, row-level security in Postgres enforcing tenant isolation, comprehensive audit logging, PII scrubbing before any data leaves your boundary, encrypted backups, and a documented incident response process. If your procurement team needs a security questionnaire filled out, contact@repotrix.ai will work with you.
Pricing & Plans
Free tier, BYO Gemini, and what you actually pay for.
One repository (up to 200 files / 2 MB) analyzed in full on our platform key — documentation, health and security scan, three diagrams (architecture, dependency, sequence), and an onboarding roadmap — running on a fast Gemini Flash-Lite model. You also get 10 AI-chat messages and 1 regeneration per month, plus PR companion (5 reviews/month). A generous 250,000-token monthly budget sits underneath as a safety net. For larger repos, the full Gemini 3.5 Flash model, and unlimited chat / regenerations, paste your own Gemini key on the Billing page (free on Google's own tier) or upgrade. No credit card required on the Free tier.
Yes — and on paid plans it's required. Paste your Gemini API key on the Billing page and every LLM call for your organization bills to your own Google account, not ours. This is why paid plans offer unlimited usage with no token cap. We charge you a flat platform fee; you pay Google directly for the tokens you actually consume. Your key is encrypted at rest and never logged or surfaced back through the UI.
Yes. Paid plans are month-to-month with no commitment. Cancel from the Billing page and your account remains active until the end of your current billing period. Your existing repos stay in read-only mode after that until you renew or downgrade to Free. Nothing is deleted automatically; you can export your documentation as PDF before downgrading if you want a permanent record.
Yes. Paid is a single metered plan, not fixed tiers: ₹999/month + 18% GST (₹1,179/month all-in) includes 5 repositories, unlimited seats, shared org-level VCS tokens (so teammates don't each paste their own PAT), and team-wide token-usage visibility. Add repositories at ₹149/month each (plus GST), up to 30 — and because paid plans use your own Gemini key, token usage is unlimited and billed by Google directly. Beyond 30 repositories it's the Enterprise plan: unlimited repos and seats, SSO, an SLA, and a custom security questionnaire response. Contact contact@repotrix.ai for Enterprise pricing.
How it works
What's happening behind the scenes when you click 'Analyze.'
ChatGPT and Repotrix's chat use similar underlying technology, but with one critical difference: scope. ChatGPT answers from its training data — public internet text. Repotrix's chat answers from YOUR codebase, retrieved on-demand from your private vector index. Ask 'where does authentication happen' to ChatGPT and you'll get general advice; ask Repotrix and you'll get the exact file and function in your repository, with a citation you can click.
Gemini 3.5 Flash for all generation tasks (documentation, security analysis, diagrams, chat, onboarding, PR review). Gemini's gemini-embedding-001 for vector embeddings (3,072 dimensions). We chose Flash over Pro for the price-quality trade-off — Flash is ~10× cheaper per token and quality is more than sufficient for code analysis tasks. If a better model ships, our architecture lets us swap providers in a single file.
Sections are generated from your actual code retrieved via RAG against your repository's vector index. Each section is grounded in retrieved chunks, not hallucinated. The executive summary is extracted from the full document so the dashboard preview always matches the linked doc. Re-runs of the security analyzer use temperature=0 with strict prompt rules — the same commit hash produces the same report. The biggest accuracy risk is incomplete retrieval (missing relevant files) rather than fabrication.
A typical 50–200 file repository is fully indexed in 30–120 seconds end-to-end: clone, PII scrub, chunk, embed (in batches of 20 with rate-limit backoff), and Pinecone upsert. The post-ingest fan-out — documentation, security report, three diagrams (architecture, dependency, sequence), and the dashboard summary — runs in parallel after that and completes in another 60–120 seconds. The dashboard shows live progress for both phases, and you can navigate away and come back without losing progress.
When you enable drift detection, we generate a per-repo HMAC secret and a webhook URL. You paste both into your GitHub repo's webhook settings. Every push fires the webhook; we verify the HMAC signature, diff the changed files against our last-known state, and decide what's now stale. If drift_auto_regenerate is on, the affected artifacts (docs, diagrams, health score) re-run automatically. If you've configured Slack or Teams webhooks, the team gets a one-line summary.
MCP Server
Bring your always-fresh codebase context into Claude, Cursor, ChatGPT, Gemini, and any other MCP-compatible tool.
It is a Model Context Protocol (MCP) server that connects your AI coding assistant directly to Repotrix. Instead of copy-pasting files or working from stale context, tools like Claude Code, Cursor, Copilot, Gemini, and ChatGPT can ask grounded, always-fresh questions about your repositories — answered from the latest commit, with citations to the exact files they came from.
Any MCP-compatible client. Editor and CLI tools — Claude Code, Cursor, Copilot, and Gemini CLI — connect through a small local bridge, while URL-based tools like ChatGPT and Gemini connect with a server URL. If your tool speaks MCP, it can read from your Repotrix-indexed repositories.
Five, all grounded in your live code: list_repos (discover your repositories), ask_codebase (grounded, cited answers), search_code (find the exact files), get_architecture (a summary plus a live diagram), and whats_changed (recent drift, explained). Your assistant calls these behind the scenes whenever you ask about your codebase.
Generate a personal access token on the Connect page — it is shown once and scoped to your workspace. Add the local bridge (editor and CLI tools) or paste the server URL (ChatGPT, Gemini), and you are answering from your live codebase in under a minute. The token is encrypted at rest, scoped to your workspace, and can be revoked at any time; the server only reads the repositories you have already indexed.
The MCP server is available on paid plans. The Free tier covers the full web and VS Code experience for a single repository; connecting external AI tools over MCP is a paid feature. See the Pricing section or the Connect page for details.
Compatibility
What we work with — and what we don't yet.
GitHub and Bitbucket are both supported — for repository ingestion, PR Companion reviews, and webhook-driven drift detection (each provider has its own webhook endpoint). The provider is auto-detected from the repository URL — paste a github.com or bitbucket.org link, pick a stored token, and you're in. GitLab support is planned for a future release.
Today we index these source types: Python, JavaScript, TypeScript, Go, Rust, Java, C and C++, and Markdown. Files are walked recursively and chunked along natural boundaries via LangChain's RecursiveCharacterTextSplitter. Binary or unreadable files are skipped, and heavy/vendored directories — node_modules, dist, build, venv/.venv, .git, __pycache__ — are ignored automatically. More languages are on the roadmap; if a specific one matters to you, tell us at contact@repotrix.ai and we'll prioritize it.
Yes, with two caveats. First, ingestion time scales linearly with file count — a 5,000-file monorepo takes longer to embed than a 200-file service. Second, Pinecone's free Starter tier caps at 100,000 vectors total across your org, so a single massive repo can exhaust it. The paid Pinecone tier removes that cap. For monorepos with multiple independent services, consider ingesting each service as a separate Repotrix 'repository' — they share a URL but different branches/paths, giving you per-service docs and analyses.
Yes. Generate a fine-grained Personal Access Token (PAT) on GitHub with read access to the specific repo, paste it into Repotrix's VCS Tokens page. The token is Fernet-encrypted before storage and only decrypted in-memory by the worker process at clone time. We never echo it back through the UI. The same flow works for Bitbucket app passwords. For private repos, we recommend creating a dedicated read-only PAT scoped to just the repos you want analyzed — easy to rotate, hard to misuse.
Features & Output
What you actually get on the dashboard.
The Health Score (0–100) is a single-number summary of overall code quality, computed by deducting points for each issue found: 10 per HIGH issue, 5 per MEDIUM, 2 per LOW. The Security Report is the detailed list those numbers come from — every finding categorized as SECURITY, COMPLEXITY, LOGIC, API_BREAKING, or STYLE, with file paths and concrete fix suggestions. The Health Score is what you glance at on the dashboard card; the full report is one click away on the Health & Security page.
Yes — the technical documentation page has a 'Download PDF' button that renders the entire document client-side using html2canvas + jsPDF. No server round-trip, no data leaves your browser during export. The PDF preserves all syntax-highlighted code blocks, tables, and headings. For the Security Report, you can copy individual findings or screenshot the whole page; a structured CSV/JSON export is on the roadmap.
Not publicly yet. The backend is a clean FastAPI with auto-generated OpenAPI docs at /docs, but we haven't stabilized the contract for third-party use. If you have a specific integration need (CI/CD pipeline, internal dashboard, custom workflow), email contact@repotrix.ai — we're prioritizing the integrations our customers actually ask for, so the more specific the request, the faster it gets built.
