Security model

Designed to avoid code and secret custody.

ReviewRouter is a control plane. It helps install, configure, and monitor AI review, while review workloads execute inside GitHub Actions under the repository owner's control.

Back to overview Open dashboard

Credential boundary

Seed secrets directly to GitHub.

The local helper validates Codex ChatGPT subscription auth and writes CODEX_AUTH_JSON to repository or organization selected-repo Actions secrets through gh. Claude Code subscription OAuth uses CLAUDE_CODE_OAUTH_TOKEN from claude setup-token. Neither token is sent to ReviewRouter SaaS.

curl -fsSL https://reviewrouter.site/install/codex | REVIEW_ROUTER_CONFIRM_WRITE=1 REVIEW_ROUTER_REPO=owner/repo bash

Code custody

Review execution stays in customer CI.

ReviewRouter v1 manages metadata, workflow setup, model settings, health, and audit. It does not store repository code, pull request diffs, prompts, or model responses by default.

Provider secrets

Provider OAuth tokens and API keys stay out of the SaaS.

Provider credentials are stored directly in GitHub Actions secrets or on a trusted self-hosted runner. The dashboard only shows setup guidance and provider health metadata.

Fork safety

Secret-backed review is skipped for fork PRs by default.

The generated workflow avoids automatically exposing secrets to untrusted fork code. Trusted rerun flows should be explicit maintainer actions, not implicit defaults.

Action config

OIDC avoids long-lived ReviewRouter API tokens in repos.

GitHub Actions can request short-lived runtime config through OIDC. Static fallback exists for local beta, but production should prefer OIDC.

GitHub App permissions

Permissions are for setup and maintenance, not code execution.

Permission	Why it exists
metadata: read	Discover repository identity and default branch.
actions: read	Read workflow run metadata for live setup and health state.
checks: write	Publish ReviewRouter-owned check runs when direct GitHub check integration is enabled.
contents: write	Create workflow setup branches and commits.
workflows: write	Open PRs that add or update the ReviewRouter workflow.
pull_requests: write	Create setup PRs and read setup PR state.
secrets: read	Verify required GitHub Actions secret metadata after provider setup: name, timestamps, visibility, and selected repository access. GitHub does not expose decrypted secret values through this API. GitHub Docs: Get a repository secret
organization_secrets: read	Verify org-level selected-repository secret metadata for organization-owned repos. ReviewRouter checks whether the current repository is allowed to use the secret; GitHub does not expose decrypted values. GitHub Docs: Get an organization secret GitHub Docs: List selected repositories
organization_plan: read	Detect whether organization-level Actions secrets can be used for private repositories, so the setup UI can recommend repository secrets when the GitHub plan does not support org secrets for private repos.
statuses: write	Publish ReviewRouter-owned commit statuses when direct GitHub status integration is enabled.
issues: write	Support setup/help comments and issue-style PR conversations when the SaaS needs to guide maintainers. Review execution still runs from CI.

GitHub's repository and organization secret endpoints return metadata without revealing encrypted values. ReviewRouter uses those metadata checks only for setup verification.

GitHub App webhooks

Hosted beta requires lifecycle event subscriptions.

Local setup PR E2E can pass without webhooks, but hosted SaaS needs these events to keep installations and selected repositories current. The public-beta doctor fails until they are enabled.

Event	Why it exists
installation	Create, suspend, unsuspend, and uninstall lifecycle events for workspace and installation state.
installation_repositories	Repository added/removed events so selected-repository installs stay in sync without manual refresh.
pull_request	Detect when setup PRs are merged and advance repository setup state automatically.
repository	Refresh repository metadata such as rename, archived state, visibility, and default branch.
workflow_job	Track job-level Actions state for runner and review diagnostics.
workflow_run	Track workflow completion metadata for live health/status updates.
check_run	Receive ReviewRouter-owned check run lifecycle events and rerun requests.
issue_comment	Support future slash-command workflows such as rerun or enable review.
status	Track commit status updates when direct status integration is enabled.