trust — security

Asking a developer to connect a repo is the biggest ask in the funnel. The answer is architecture.

You will check. Good — so here's exactly how Pushcast handles your code, in plain language. Every claim below is something we can keep because it's built in, not bolted on.

Minimal GitHub access — read-only, never write

The GitHub App requests read-only access to repository contents + metadata and webhook events. No write scope of any kind. You pick the specific repos — never your whole org by default. We mint short-lived, auto-rotating installation tokens on demand and store only the installation id, never a long-lived token.

Your code is read, not stored

Ingestion is stream-and-discard: raw file contents exist only in memory during a scan, then they're gone. What we keep is the Product Brain — structured facts, feature descriptions, and file paths as evidence. Never code bodies. This is an architectural rule, enforced in the Mapper, not a promise on a page.

Secrets are never read

Before any content reaches a model, a hard denylist skips .env files, keys, and credential files, and a gitleaks-style scan redacts anything that looks like a secret. The denylist runs locally in CLI mode and server-side in the app. We log exactly what was skipped so you can verify.

Tenant isolation

Row-level security on every table; all data access is scoped to your org. No other tenant's data ever appears in a model prompt. Future cross-product intelligence uses only anonymized, aggregated performance metrics — never the contents of anyone's Brain.

One-click revoke + true delete

Uninstall the GitHub App or delete a product and your Brain, assets, and webhook data are purged — a real hard-delete, with a confirmation email.

No training on your inputs

All generation runs through model-provider APIs with no-training-on-inputs terms (the Anthropic API qualifies). Your product's data is never used to train a model.

SOC 2

Not yet — and we won't say 'in progress' until it actually is. This page will say so the day that changes.

data flow
your repo → denylist + secret scrub (in memory) → extract structured facts → Product Brain (paths, features — no code) → generation → you approve → publish.
raw code is discarded at the extract boundary. it is never written to disk or sent to a model.
Connect your repo →