IntelligenceX

IntelligenceX Security and Trust Model

Edit on GitHub

Learn how IntelligenceX keeps code, credentials, GitHub Apps, and review workflows under your control with a zero-trust design and no hosted backend.

Security and Trust Model

IntelligenceX is built on a zero-trust design. You do not have to trust an IntelligenceX backend because there is no IntelligenceX backend in the reviewer, IX Chat, CLI, or setup flows.

Core Principles

No Backend Service

IntelligenceX has no hosted control plane. Onboarding happens locally on your machine, IX Chat stores state locally, and the reviewer runs inside your GitHub Actions environment.

Your Credentials, Your Control

You authenticate with your own ChatGPT or Copilot account:

  • ChatGPT: OAuth login via browser, auth bundle stored as GitHub Actions secret
  • Copilot: uses your existing GitHub Copilot access
  • Optional encryption: set INTELLIGENCEX_AUTH_KEY to encrypt local auth storage

Bring Your Own GitHub App

For organizations that need full control:

  • Create a GitHub App under your organization
  • Keep your own branding and permission scopes
  • Keep your own audit trail in org settings

GitHub Authentication Modes

ModeBest ForHow It Works
GitHub App (recommended)OrganizationsInstall your own app for branded bot identity and fine-grained permissions
OAuth Device FlowSingle reposFast setup, no app required
Personal Access TokenRestricted environmentsPolicy-compliant manual token management

What the Tool Changes

IntelligenceX keeps repo changes minimal and reviewable:

  • Adds .github/workflows/review-intelligencex.yml
  • Optionally adds .intelligencex/reviewer.json
  • Uses PRs by default for setup changes

Data Flow

When the reviewer analyzes a PR:

  1. GitHub Actions checks out your code diff
  2. Diff is sent directly to your selected AI provider
  3. AI response is posted as PR comments

No data passes through IntelligenceX infrastructure.

Provider policies still apply:

Manual Secret Mode

If you do not want automatic secret upload:

intelligencex setup wizard --manual-secret

The CLI writes the base64 auth bundle to a local temporary file and prints only that file path for manual secret entry. If you prefer the old copy/paste flow, add --manual-secret-stdout to print it directly (less safe due to terminal/log exposure).

Best Practices

  1. Set INTELLIGENCEX_AUTH_KEY for encrypted local storage
  2. Use least-privilege GitHub App permissions
  3. Rotate tokens periodically ( intelligencex auth login )
  4. Keep setup changes in PRs
  5. Monitor provider usage with intelligencex usage --events

Open Source

IntelligenceX is open source (MIT):

  • Source code
  • Reviewable security model
  • Forkable and extensible