Apps that can help manage code without owning everything.
Code Apps are Git-backed extensions for repository, registry, package, and CI workflows. Every install is bound to a target and a reviewed set of SpiceDB permissions.
Install targets
Apps can be scoped narrowly. A release automation app can target one repo; a package policy app can target one registry namespace.
- User account
- Organization
- Repository
- Registry namespace
- Package
Permission review
App manifests declare requested resources, actions, and reasons. Installs store only approved grants, and runtime calls are checked against the installation token.
[[app.permissions]]
resource = "repository"
actions = ["read", "create_pr"]
reason = "Open remediation pull requests." Lifecycle
Publish
App source, manifest, docs, and release tags live in Git.
Install
Users review the exact permissions requested by a specific app version.
Run
App events and manual actions run as Airflow DAGs with scoped tokens.
Upgrade
Permission changes are diffed before a newer version can take effect.
Uninstall
Cuitty revokes grants, disables schedules, and keeps the audit trail.