Lucim uses GitHub in two distinct ways.
Repository intake
The GitHub App identifies repositories and resolves immutable revisions for codebase discovery. Signed push webhooks can enqueue stable follow-up scans, and scheduled reconciliation repairs missed events.
Repository intake is read-only. It does not prove that Lucim may create issues or other provider-side work.
Provider delivery
GitHub delivery uses a Nango-managed provider grant. After the signed authorization webhook is reconciled, Lucim discovers accessible repositories, validates a selected target, and creates a tenant-owned route.
The minimum route permissions are repository metadata read and Issues write for the selected repository. Do not broaden permissions automatically after a scope_required result.
Lifecycle
Do not use a repository-intake installation token for provider delivery, and do not expose a Nango connection ID or provider credential to the browser.