Security
Last updated: May 2026 · This page is a stub — full disclosure in progress.
We request the minimum GitHub permissions required to read your repository and open a single pull request. Read access and PR creation only — no admin, no webhook, no secrets access. Credentials are revoked immediately after the PR is delivered.
Code transits OpenAI's enterprise API under a zero-data-retention agreement (ZDR). No prompt or completion is stored by OpenAI beyond the duration of the API call. Your code is never used to train or fine-tune models.
All mutations are written to a dedicated symbiote/plan-{id} branch. We never push to main or any protected branch. Worst-case rollback is a single git branch -D.
Every lock acquire, wait, release, and denial is logged with monotonic-nanosecond timestamps to kernel.log. A verdict line (COLLISION-FREE ✓ or COLLISION DETECTED ⚠) is appended at the end of every run. The log is delivered alongside the PR.
We sign mutual NDAs before receiving access to any non-public repository. A Data Processing Agreement (DPA) is available on request for customers subject to GDPR or equivalent regulation.
Found a vulnerability? Contact yehor.callmedai@gmail.com with a description. We aim to acknowledge within 48 hours.
Full security documentation is being drafted and will replace this stub. If you have specific compliance requirements, contact us before engaging.