Trust

Your code stays yours.

Memlin builds a structural map of your codebase — what exists, how it connects, what it’s for. We don’t store your source. We don’t train on it. You pick where the scanner runs.

Pick your trust mode

Three places the scanner can run. Same graph either way; what changes is whether your source ever crosses Memlin’s network. You choose per repo, and you can change it later.

Default

Cloud scan

Runs on: Memlin worker

Your code is held in RAM during the scan and deleted at the end.

The worker fetches source via your OAuth token into a tmpfs (RAM-backed) sandbox, parses it, and removes it when the scan finishes. Secrets are never fetched — files matching .env, .pem/.key, secrets.json, appsettings.*.json, and credentials are denied at the fetch layer.

Tradeoff: Zero setup. You’re trusting our temp-then-delete window.

Available

In-runner scan

Runs on: Your GitHub Action

Your code never reaches Memlin. The scan runs inside GitHub.

A Memlin GitHub Action runs in your own runner on each push (or when you click Run workflow). The Action computes the graph and posts the JSON back to Memlin. Source stays inside GitHub the whole time. Optional: pass an Anthropic key to enrich the map with AI summaries — the excerpt goes from your runner directly to Anthropic, Memlin never sees it.

Tradeoff: One workflow file in your repo.

Available

Local scan

Runs on: Your machine

Your code never leaves your environment.

A `memlin scan` CLI command runs the same analyzers on the developer’s machine and posts only the graph JSON. Common posture for highly regulated codebases. Optional: set ANTHROPIC_API_KEY to enrich with AI summaries — same trust posture (Memlin never sees the excerpt).

Tradeoff: Per-developer install.

What we keep, what we never keep

The same in every mode. The map is what we keep; your source is what we don’t.

We keep

  • Structure. File paths and the names of functions, classes, tables, routes, and topics.
  • Relationships. The graph: what calls what, what imports what, which code reads or writes which tables, and which services publish or consume events.
  • Summaries. One-line plain-language descriptions per symbol, generated from a transient excerpt that is never written to the DB.
  • Docs you choose. Markdown / README content is proposed to your inbox; nothing lands until you accept it.

We never keep

  • Raw source code.No function bodies. No excerpts. We store the symbol’s name, not its body; any older excerpts were purged.
  • Raw SQL migrations. A migration is stored as a record (name + path); its tables live structurally as db_table nodes in the graph.
  • Secrets. Files matching .env, .pem, .key, secrets.json, appsettings.*.json, and credentials are denied at the fetch layer — never fetched.
  • Training inputs.Memlin does not train any model on your code, repos, or derived graph. Summaries call the Anthropic API; per their commercial terms, API inputs/outputs aren’t used for training. In Cloud mode Anthropic is our sub-processor (we send transient excerpts on your behalf). In In-runner or Local mode with summaries enabled, you call Anthropic with your own key — Memlin never sees the excerpt.

How Cloud scans run, end to end

The full pipeline, end to end. We’re writing it down because we want vendor-review questions to have answers.

  1. Step 1Trigger

    You click Scan. The web app queues a scan job; a Memlin worker picks it up.

  2. Step 2Fetch (source only, RAM-only)

    Worker uses yourGitHub OAuth token. Lists the repo’s file tree, applies a source allowlist + secret denylist, fetches only the surviving blobs, and writes them to a tmpfs (RAM-backed) sandbox. Your source never touches durable storage.

  3. Step 3Walk + parse

    Detects components by manifest (.csproj, package.json, go.mod, …). Parses each component with language-aware analyzers, extracting names, calls, imports, and table refs.

  4. Step 4Persist (structure + summaries)

    Writes the structural map — components, symbols, and the edges between them. AI summaries are generated from a transient excerpt and the excerpt is discarded.

  5. Step 5Delete the source

    rm -rf the tmpfs sandbox in a finally block. The scan ends; the source is gone.

Compliance & data

Questions for a vendor review or security questionnaire? Email security@memlin.ai. We answer with specifics, not adjectives.