Give a contractor access for the job — then take it back
Adding a contractor to your GitHub org gives them a permanent clone and full history. Sealrepo gives them time-boxed, revocable access to an encrypted repo — watermarked to them — that re-seals when the job ends.
You need a freelancer to ship one feature. The usual path — invite them to the org, hope you remember to remove them, trust they delete their clone — leaves your entire codebase and its history on a stranger's laptop indefinitely.
You want the opposite: the smallest, shortest, most traceable access that still lets them do the work — and a clean, certain way to end it.
How Sealrepo handles it
Access that expires on a clock
Grant access for the length of the engagement. Time-boxed codes mean access ends even if you forget to revoke it.
Revoke in one step — the vault re-seals
When the work is done, revoke. On the contractor's next check the repo re-seals; they can't unlock new versions. No org-membership cleanup to forget.
Every file is watermarked to the contractor
Unlocked files carry an invisible-to-the-workflow marker tying them to that grant and person. If code leaks — a paste, a pastebin, an AI training set — it points back to who let it out.
Real-time alerts on bulk exfiltration
If a vault is mass-copied or packed into an archive, you get an alert — so a wholesale grab doesn't happen silently.
The contractor workflow
- 1.
sealrepo share --email [email protected] --expires 14dMint a time-boxed access code for just this project. - 2.
sealrepo redeem <code>The contractor redeems on their machine and unlocks to work. - 3.They branch, commit, and push like normal. Their unlocked files are watermarked to them.
- 4.
sealrepo lockdownJob done: revoke. The vault re-seals on their next online check; the audit log records the whole lifecycle.
What Sealrepo does not do
- While the contractor is authorized and has unlocked, the code is plaintext on their machine — they can read and copy it. That is true of any tool, including handing them a zip. Sealrepo makes the access short, revocable, and attributable; it cannot make code unreadable to someone you asked to work on it.
- Watermarks deter and attribute leaks; they don't physically prevent copying. A determined thief can retype or photograph a screen. The point is to make casual leaking traceable and risky.
- Revocation stops future unlocks. It cannot reach back and delete a copy the contractor already made while authorized — pair it with an NDA.
We spell this out because security tools that imply they do more than they can are the ones you should distrust. Read the full threat model.
Common questions
How is this better than adding them to my GitHub org?+
Org membership is all-or-nothing and permanent until you remember to remove it — and it hands over full history to a clone you don't control. Sealrepo access is scoped to one project, expires on a clock, is watermarked to the person, and re-seals on revoke.
What if the contractor just copies everything on day one?+
Bulk-copy and archive operations trigger a real-time exfiltration alert, and every file they unlocked is watermarked to their grant. You can't make authorized code uncopyable — no one can — but you can make a wholesale grab loud and attributable instead of silent.
Do they need a paid account?+
No. Redeeming an access code and unlocking is free for the contractor. You (the owner) need a Team seat to issue revocable grants.
Can I give access to only part of the repo?+
Today a grant covers the project's vault. Path-scoped access — unlocking only certain directories — is on the roadmap; if that's a hard requirement for you, tell us at [email protected] and we'll factor it into prioritization.
Seal your first repo in 5 minutes
Free CLI, free account, no card. See how it compares to git-crypt & friends.
Get started