What Picolayer can do in your repo
Picolayer asks for the minimum set of GitHub App scopes needed to survey, file issues, and ship PRs end-to-end. Every permission below is load-bearing for a specific flow — removing any one breaks a documented feature.
Repository permissions
| Permission | Level | Why we need it |
|---|---|---|
Contents | Read & write | Clone the repo into an ephemeral sandbox and push branches under picolayer/…. |
Issues | Read & write | File the prioritized backlog, comment on issues, and close them when the corresponding PR merges. |
Pull requests | Read & write | Open PRs, post review/retry feedback, and cross-link PRs to the issues they resolve. |
Workflows | Read & write | GitHub requires this whenever a PR touches .github/workflows/* — our CI-hardening rules routinely do. |
Code scanning alerts | Read & write | Ingest CodeQL findings into tracked issues and dismiss them on fix. |
Metadata | Read-only | Standard default for all GitHub Apps — basic repo info. |
What Picolayer does not ask for
Picolayer does not request Administration, Secrets, Variables, Actions dispatch, Checks, or Statuses. Verification runs inside the ephemeral sandbox — we never modify repo settings, read secrets, or post Check runs.
Dashboard sign-in
When you sign in to the dashboard we request one OAuth scope:
| Scope | Why |
|---|---|
read:user | Look up your GitHub login and list the installations you belong to, so the dashboard only shows repos you actually have access to. |
No repo, no admin:org, no user:email, no write scopes. The OAuth token is only used to list your installations — bot actions run under the installation token, not your personal token.
Data we store
A small SQLite cache on our Fly.io volume tracks runs, surveys, costs, your BYOK keys (encrypted with AES-GCM), and any feedback you send us. Every row can be reconstructed from GitHub events — GitHub is the source of truth.
To remove your data, uninstall the GitHub App and send us a note via the feedback button — we'll wipe your rows within a couple of days.