Okibi

How Okibi handles your code

Last updated July 9, 2026

Okibi’s job is to read your codebase and generate a CLI from it. Here is exactly what happens to your code, in plain terms.

Your code is processed in an isolated sandbox, then destroyed

Every generation runs in its own single-use, single-tenant sandbox VM. Your repository is cloned into that sandbox, the generation pipeline runs, and the sandbox, including your source, is destroyed when the run ends. Sandboxes are never shared between customers or reused between runs.

We don’t keep your source code

What we retain is what you came for: the generated CLI, its documentation, and run logs and metadata (timing, status, source repository name). Run logs can include short excerpts of your code when they’re relevant to explaining an error.

No one trains models on your code

Generation uses AI models from leading providers via their APIs, under terms that do not permit using code sent for processing to train their models. We don’t train models on your code either.

Access is minimal and scoped

Our GitHub App requests read-only access to repository contents and metadata, only for the repositories you select. Clone credentials are short-scoped, delivered to the sandbox over private channels, and never written to logs. Our AI-provider API keys never leave our servers and sandboxes, and they are never embedded in anything you download.

Standard protections everywhere else

Encryption in transit and at rest, access controls on production systems, and publish flows that only ever write to repositories you explicitly connected.

Found a security issue? Email hello@okibi.ai. We read every report and respond quickly.