Solution · GitHub tracking
The repo events you should have seen sooner.
A personal access token enumerates the user's repos and every org where the user is admin. Engager polls every five minutes for org scope, every ten for user scope, and pages on the events that actually carry operational risk.
5 min
Org poll cadence
Tunable per workspace
10 min
User poll cadence
Personal repo enumeration
7
Event kinds
Across the operational surface
AES 256
PAT encryption
Envelope wrapped per workspace
The events that matter
Visibility flips and ownership transfers, paged like outages.
A repository going public is an outage of a different kind. Same with an ownership transfer, a default branch swap, a new org member, a secret added.
Engager treats them as critical events and routes through the GitHub channel scope you set in your routing rules.
GitHub tracker · 4 PATs · last 24h
Visibility flipped
criticalrookhq/legacy-billing · @rookadmin · 4m ago
Repo created
rookhq/edge-router · @AravAVR · 1h ago
Secret added
rookhq/api · @realmbyrook · 3h ago
Repo transferred
criticalrookhq/internal-tools → realm/internal-tools · @hlotech · 6h ago
Member added to org
rookhq · @new-eng · 12h ago
Default branch changed
rookhq/web · @AravAVR · 23h ago
Secrets, not codes
The PAT lives in your workspace KEK. Engager never sees the plaintext at rest.
Add a personal access token in Integrations. The plaintext is wrapped with a workspace data encryption key, which is wrapped with a Key Vault master key. Engager pulls the plaintext just in time, runs the GitHub call, drops it.
Rotate the master key whenever you want. Engager re wraps without re reading the ciphertext.
Stored secret · GitHub PAT
github_pat_•••••••••••••••••••
Layer 1 · payload
AES 256 GCM ciphertext + 16 byte tag
Layer 2 · DEK
32 byte data key, wrapped per row
Layer 3 · KEK (Azure Key Vault)
RSA OAEP 256 · Engager never reads
The seven kinds
Each kind has its own routing.
Repo created
A new repo appeared under a tracked account or org. Author, name, visibility surfaced.
Repo transferred
Ownership moved between users or orgs. Critical kind by default.
Visibility changed
Public to private or back. Pinned for legal review.
Repo deleted
A tracked repo is gone. Critical and immediately paged.
Secret added
A new repo or org secret stored. Visible to admins, never the value.
Default branch changed
main went to something else, or back. Useful for release engineering.
Org member added
New seat in the org. Useful for compliance and finance.
Many tokens, one feed
Add the four PATs that cover your team. Engager dedupes events by repo full name plus event kind plus actor.
Mute rules
Specific repo prefixes or specific actors can be muted per channel. Useful for build bot noise.
Daily digest
Even when nothing critical fires, a quiet end of day digest summarises every repo creation, every member join, every secret add.