{
  "schema_version": 2,
  "kind": "change_consequence_security_review",
  "product": "Busleyden Guard",
  "review_scope": {
    "offers": "Free for public repositories; Guard Pro is $19.90/month for unlimited selected private repositories under one GitHub account.",
    "default_scope": "One selected GitHub repository.",
    "primary_buyers": [
      "engineering platform",
      "application security",
      "release engineering",
      "engineering leadership"
    ]
  },
  "access_model": {
    "runtime": "GitHub Actions inside the customer's repository unless a different runner is explicitly configured.",
    "permissions": [
      "Read pull request metadata, repository contents, changed file paths, workflow outputs, and configured scanner outputs.",
      "Read CODEOWNERS or owner-routing files when present.",
      "Create a reviewable setup pull request and the GitHub Actions workflow after explicit user action.",
      "Create Check Runs, pull request comments, and workflow artifacts when those outputs are enabled.",
      "Call configured external endpoints only for checkout, lead capture, revenue capture, and optional operator ledgers."
    ],
    "least_privilege_expectation": "Install the GitHub App only on selected repositories. The App requests write access needed to create the setup PR, workflow, Check Run, and optional PR comment. Uninstall it at any time."
  },
  "data_processed": [
    "For install-free previews: the submitted public GitHub pull request URL, public changed file paths, public file-level statistics, and bounded public diff snippets.",
    "Repository name and pull request URL, number, title, and author metadata.",
    "Changed file paths and file-level impact summaries.",
    "Mapped tests, missing-test signals, scanner findings, owner routing, policy status, blockers, and explicit unknowns.",
    "Optional reviewer usefulness reactions recorded in the customer repository.",
    "Subscription metadata needed to verify active Guard Pro access for private repositories."
  ],
  "data_stored_by_default": {
    "public_site": "The public sample artifacts contain no customer source code or customer revenue evidence.",
    "customer_repository": "Guard evidence and decision reports should remain in the customer's repository unless the customer configures another sink.",
    "operator_ledgers": "Lead, objection, approval, and revenue ledger entries can be written to private operator GitHub repositories when the corresponding repository and token environment variables are configured.",
    "source_code_storage": "The product should not store customer source code by default. Guard reports may include file paths, test identifiers, owner routes, scanner summaries, policy status, blockers, and unknowns."
  },
  "data_processing_addendum": "/data-processing-addendum.json",
  "secrets_handling": {
    "configuration": "Stripe keys, webhook secrets, GitHub ledger tokens, and optional webhook secrets are supplied as deployment environment variables.",
    "redaction": "Launch manifests and readiness reports list required secret names but must not print secret values.",
    "customer_action": "Customers should install the GitHub App only on selected repositories and uninstall it when they no longer use Guard."
  },
  "network_egress": [
    "GitHub public REST API for the install-free public pull request preview.",
    "Stripe API for checkout session creation and webhook verification.",
    "GitHub Contents API for private lead and revenue ledgers when configured.",
    "Configured operator webhooks for lead, feedback, approval, or revenue handoff when enabled.",
    "Semgrep, OSV, or other scanner network calls according to the customer's selected scanner configuration."
  ],
  "customer_controls": [
    "Run the Guard workflow in a private repository.",
    "Disable optional scanner integrations, with the limitation shown as explicit unknowns.",
    "Keep Guard reports as workflow artifacts instead of PR comments.",
    "Configure or omit operator ledgers.",
    "Request deletion or redaction of operator-controlled subscription metadata.",
    "Remove the GitHub Action, uninstall the App, and cancel the subscription at any time."
  ],
  "limitations": [
    "The install-free public PR preview does not execute code, tests, scanners, or repository-specific policy.",
    "This is not a SOC 2 report, penetration test, legal opinion, or compliance attestation.",
    "Guard does not prove that all AI-generated code is safe.",
    "Scanner coverage is bounded by the configured tools and the customer's repository setup.",
    "Human review remains required for merge decisions."
  ],
  "security_review_questions_for_buyers": [
    "Can we run this entirely inside our GitHub Actions environment?",
    "What exact artifacts are stored outside our repository?",
    "Can we disable PR comments and keep evidence as workflow artifacts?",
    "Which tokens are required, and can they be narrowly scoped?",
    "What happens when scanner evidence is missing?"
  ],
  "claim_boundary": "This artifact is a buyer-readable security review summary for Busleyden Guard. It is not an independent security audit, SOC 2 report, legal commitment, or proof that a live customer deployment has passed security review."
}
