What Picolayer can do in your repo

Repository permissions

Permission	Level	Why we need it
Contents	Read & write	Clone the repo into an ephemeral sandbox and push branches under picolayer/….
Issues	Read & write	File the prioritized backlog, comment on issues, and close them when the corresponding PR merges.
Pull requests	Read & write	Open PRs, post review/retry feedback, and cross-link PRs to the issues they resolve.
Workflows	Read & write	GitHub requires this whenever a PR touches .github/workflows/* — our CI-hardening rules routinely do.
Code scanning alerts	Read & write	Ingest CodeQL findings into tracked issues and dismiss them on fix.
Metadata	Read-only	Standard default for all GitHub Apps — basic repo info.

What Picolayer does not ask for

Picolayer does not request Administration, Secrets, Variables, Actions dispatch, Checks, or Statuses. Verification runs inside the ephemeral sandbox — we never modify repo settings, read secrets, or post Check runs.

Dashboard sign-in

When you sign in to the dashboard we request one OAuth scope:

Scope	Why
read:user	Look up your GitHub login and list the installations you belong to, so the dashboard only shows repos you actually have access to.

No repo, no admin:org, no user:email, no write scopes. The OAuth token is only used to list your installations — bot actions run under the installation token, not your personal token.

Data we store

A small SQLite cache on our Fly.io volume tracks runs, surveys, costs, your BYOK keys (encrypted with AES-GCM), and any feedback you send us. Every row can be reconstructed from GitHub events — GitHub is the source of truth.

To remove your data, uninstall the GitHub App and send us a note via the feedback button — we'll wipe your rows within a couple of days.