Security

We request the minimum GitHub permissions required to read your repository and open a single pull request. Read access and PR creation only — no admin, no webhook, no secrets access. Credentials are revoked immediately after the PR is delivered.

Code transits the OpenAI API. By default, OpenAI does not retain prompts or completions submitted via the API for training purposes (policy in effect since March 2023). Customers requiring a formal Zero Data Retention contract can request one before engagement.

All mutations are written to a dedicated symbiote/plan-{id} branch. We never push to main or any protected branch. Worst-case rollback is a single git branch -D.

Every lock acquire, wait, release, and denial is logged with monotonic-nanosecond timestamps to kernel.log. A verdict line (COLLISION-FREE ✓ or COLLISION DETECTED ⚠) is appended at the end of every run. The log is delivered alongside the PR.

We sign mutual NDAs before receiving access to any non-public repository. A Data Processing Agreement (DPA) is available on request for customers subject to GDPR or equivalent regulation.

Found a vulnerability? Contact [email protected] with a description. We aim to acknowledge within 48 hours.