Scoped access
The GitHub App requests only what it needs to scan your repo, branch, open a PR, and read checks. Install is repo-scoped: OLYDI reads the repositories you select, and nothing else.
Security
You'll see exactly what it can access, where your code runs, how we handle secrets, when a human merges, and how long we retain your data. Stage-honest — we don't claim a certification we don't have.
The GitHub App requests only what it needs to scan your repo, branch, open a PR, and read checks. Install is repo-scoped: OLYDI reads the repositories you select, and nothing else.
Your secrets are brokered, scoped, and leased — never dumped into model context. Your work runs inside hosted task sandboxes with locked-down outbound access.
You merge by default. Wider autonomy is a decision you make explicitly, per repo, gated by your branch protection and budget configuration.
Trust center
The trust center names the launch boundary, what access is requested, how secrets are handled, what happens when work fails, and where security reports go.
Launch scope is GitHub-first and repo-scoped. OLYDI needs enough access to read code context, create a branch, open a PR, and read checks. It requests checks:write and security_events:write to post check runs and mirror SARIF. Wider autonomy is an explicit per-repo policy decision.
Secrets are mediated instead of copied into model context. Work runs inside hosted task sandboxes with scoped leases, logged access, and locked-down outbound behavior.
Human merge is the launch default. OLYDI does not claim a certification it does not hold. If a gate, a test, or your CI fails, the artifact shows the failure rather than presenting the change as ready.
The public site documents retention intent, subprocessors, the disclosure contact, security.txt, PGP, and CSP reporting. Findings render rollup-only pre-auth, never raw figures or file paths.
Permissions
Launch scope is GitHub-first. OLYDI reads your code context, creates a branch, opens a PR, and reads checks. It requests checks:write and security_events:write to post check runs and mirror SARIF back to you.
Posture
OLYDI doesn't claim a SOC 2 or FedRAMP certification it doesn't hold. This page tells you our actual posture and what's on the roadmap, so you can evaluate us on fact.
Disclosure
Our trust center names retention, subprocessors, the disclosure contact, security.txt, PGP, and the CSP report endpoint — before you ever get on a call with us. Your findings render rollup-only pre-auth; you never see raw figures or paths there.