Lucim uses GitHub in two distinct ways.

Repository intake

The GitHub App identifies repositories and resolves immutable revisions for codebase discovery. Signed push webhooks can enqueue stable follow-up scans, and scheduled reconciliation repairs missed events. Repository intake is read-only. It does not prove that Lucim may create issues or other provider-side work.

Provider delivery

GitHub delivery uses a Nango-managed provider grant. After the signed authorization webhook is reconciled, Lucim discovers accessible repositories, validates a selected target, and creates a tenant-owned route. The minimum route permissions are repository metadata read and Issues write for the selected repository. Do not broaden permissions automatically after a scope_required result.

Lifecycle

Do not use a repository-intake installation token for provider delivery, and do not expose a Nango connection ID or provider credential to the browser.