ReviewRouter installs, configures, and monitors AI review without becoming the default path for source code, PR diffs, prompts, model responses, or provider credentials.
The helper validates provider auth locally and writes required secrets through gh. Dashboard state only tracks safe setup metadata.
Policy, setup, audit
Customer-owned custody
Called from your runtime
# Copy the full repo-scoped Codex command from the ReviewRouter dashboard.
# It uses https://reviewrouter.site/install/codex with a short-lived setup nonce and writes REVIEWROUTER_CODEX_AUTH_JSON directly to GitHub Actions secrets.ReviewRouter manages metadata, workflow setup, model settings, health, and audit. Repository checkout, diff analysis, prompts, and model responses stay out of ReviewRouter cloud by default.
Codex rotating OAuth, Claude Code OAuth, and OpenRouter keys are stored directly in GitHub Actions secrets. ReviewRouter cloud never receives plaintext provider credentials.
The generated workflow avoids automatically exposing secrets to untrusted fork code. Trusted rerun flows should be explicit maintainer actions.
GitHub Actions requests short-lived runtime config through OIDC. Production Codex OAuth rotating runs fail closed if the control plane cannot validate the run.
The SaaS configures review. Your runtime performs review.
| Layer | Owned by | Data handled | Custody |
|---|---|---|---|
ReviewRunner | Customer repository runtime | Repository checkout, PR diff, prompts, model output, provider calls | Customer |
Provider credentials | GitHub Actions secrets or trusted runner | Codex rotating auth.json, Claude Code OAuth token, OpenRouter key | Customer |
ReviewRouter SaaS | ReviewRouter control plane | Installation metadata, setup PR state, policy config, audit events, health summaries | ReviewRouter |
Permissions support setup and maintenance, not hosted code execution.
Least-privilege map
| Permission | Class | Why it exists |
|---|---|---|
| metadata: read | Read | Discover repository identity and default branch. |
| actions: read | Read | Read workflow run metadata for live setup and health state. |
| checks: write | Write | Publish ReviewRouter-owned check runs when direct GitHub check integration is enabled. |
| contents: write | Write | Create workflow setup branches and commits. |
| workflows: write | Write | Open PRs that add or update the ReviewRouter workflow. |
| pull_requests: write | Write | Create setup PRs and read setup PR state. |
| secrets: write | Write | Verify required GitHub Actions secret metadata and write encrypted rotating Codex OAuth payloads after OIDC/writeback checks. GitHub does not expose decrypted secret values. |
| organization_secrets: read | Metadata | Verify org-level selected-repository secret metadata for organization-owned repos. ReviewRouter checks whether the current repository is allowed to use the secret. |
| organization_plan: read | Read | Detect whether organization-level Actions secrets can be used for private repositories, so setup can recommend repository secrets when needed. |
| statuses: write | Write | Publish ReviewRouter-owned commit statuses when direct GitHub status integration is enabled. |
| issues: write | Write | Support setup/help comments and issue-style PR conversations. Review execution still runs from customer runtime. |
GitHub repository and organization secret endpoints return metadata only. ReviewRouter uses those checks for setup verification, not decrypted secret access.
Hosted beta needs lifecycle events to keep installations current.
| Event | Why it exists |
|---|---|
| installation | Create, suspend, unsuspend, and uninstall lifecycle events for workspace and installation state. |
| installation_repositories | Repository added/removed events so selected-repository installs stay in sync without manual refresh. |
| pull_request | Detect when setup PRs are merged and advance repository setup state automatically. |
| repository | Refresh repository metadata such as rename, archived state, visibility, and default branch. |
| workflow_job | Track job-level Actions state for runner and review diagnostics. |
| workflow_run | Track workflow completion metadata for live health/status updates. |
| check_run | Receive ReviewRouter-owned check run lifecycle events and rerun requests. |
| issue_comment | Support future slash-command workflows such as rerun or enable review. |
| status | Track commit status updates when direct status integration is enabled. |
ReviewRouter should not claim code goes nowhere. It should claim code skips ReviewRouter cloud by default.