Skip to content

safety: introduce a permission-scoped GitHub App identity (replace personal PAT) #7

Description

@lorenzoliuzzo

Part of the fleet milestone (#1 §4).

Gap

Every tool acts under the personal PAT via the gh CLI — mythings/github.py
has no App/token-scoping logic. ARCHITECTURE.md names a permission-scoped
GitHub App as the intended identity model. Today a bug in any tool has the
same blast radius as the human account, and the fleet already runs concurrent
--execute workers against real accounts.

Do

  • Register a MyThingsLab GitHub App with least-privilege scopes (contents,
    PRs, issues; no admin).
  • Give mythings/github.py an App-token path (installation token) behind
    the same Runner seam.
  • Migrate the fleet to the App identity for --execute.

Acceptance

Fleet can open PRs/issues under the App, PAT no longer required for headless runs.
Highest-value once MyCoder makes unattended code-writing real.

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-decisionBlocked on a human or architectural decisionsafetyFleet safety / process gap

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions