NightSteward Security & Trust

Built for production apps.
Control stays with you.

NightSteward only accesses what it needs, when it needs it. Here's exactly what permissions we request, how fixes are reviewed before deployment, and what we do if something goes wrong.

Last updated: March 2026

Permissions model GitHub OAuth scope Autonomy levels Rollback & failure handling Data handling
01 · Permissions

What NightSteward can access, by tier

Free tier access is strictly external — NightSteward pings your app's URL and observes public behaviour. Nothing inside your codebase, infrastructure, or credentials is ever touched until you explicitly grant access via OAuth.

Permission Free (URL only) Pro (GitHub connected)
HTTP monitoring (uptime, latency, status codes) ✓ Yes ✓ Yes
Frontend failure detection ✓ Yes
External checks only — no browser automation on your server
 ✓ Yes
Read your source code ✗ No access ✓ Via GitHub OAuth
Read access to repos you grant, nothing else
Propose code changes ✗ No ✓ Via GitHub PRs
Changes appear as pull requests — you review before merge
Deploy to your hosting provider ✗ No ✓ Only after your explicit approval
Default: every fix requires approval. See autonomy levels below.
Read your database ✗ No ✗ No — never
NightSteward never requests database credentials
Access your users' data ✗ No ✗ No — never
NightSteward reads code, not application data
Access payment credentials or secrets ✗ No ✗ No — never
We explicitly skip .env files in all code reads
Revoke access N/A ✓ Anytime, instantly
Revoke GitHub OAuth from GitHub settings — takes immediate effect
02 · GitHub OAuth

Exactly what we request from GitHub, and why

When you connect GitHub, NightSteward requests a specific set of scopes. We've chosen the minimum permissions needed to do the job. Here's every scope, what it enables, and why we need it.

GitHub OAuth App · NightSteward
Scopes requested during Pro connection
  • repo (contents) Read Read source code to diagnose issues. We read files relevant to the error — not your entire repo history or all branches.
  • repo (contents) Write Create branches and commit fixes. Only triggered after your explicit approval. Writes only to NightSteward-created branches — never directly to main.
  • pull_requests Write Open pull requests with proposed fixes so you can review and merge. This is how all code changes are delivered — never silent commits.
  • metadata Read Required by GitHub for all OAuth apps. Lets NightSteward see repo names and basic info.
  • user email Read Used to link your GitHub account to your NightSteward account. We store this — nothing else from your GitHub profile.
  • admin (webhooks, keys, etc) Not requested We never request admin access. NightSteward cannot delete repos, manage org settings, or access other users in your org.
03 · Autonomy levels

You control how much NightSteward acts on its own

NightSteward defaults to the most conservative mode — every fix requires your explicit approval before anything is deployed. You can increase autonomy as you build confidence in the system. You can change this setting at any time in your app's settings.

Review all fixes
Default
No autonomy

NightSteward diagnoses every issue and proposes a fix with a full diff preview. Nothing is deployed until you explicitly approve it in the dashboard. Ideal when you're evaluating NightSteward or working on sensitive code.

You review and approve every pull request before merge NightSteward never merges or deploys autonomously You can reject or edit any proposed fix
Auto-fix low-risk
Limited autonomy

NightSteward automatically applies fixes it classifies as low-risk (dependency updates, config typos, single-line logic corrections) without requiring your approval. High-risk fixes (schema changes, auth code, payment flows) always require review.

Applies typo fixes, missing null checks, log improvements automatically Holds for approval: anything touching auth, payments, or data models You receive a daily summary of what was auto-applied
Full autopilot
High autonomy

NightSteward operates fully autonomously — detecting, diagnosing, fixing, and deploying without manual approval. A rollback snapshot is always taken before any deployment. You're notified of everything but don't need to act on it. Recommended only once you're comfortable with NightSteward's judgment on your codebase.

All fixes auto-deploy after internal confidence check Automatic rollback triggers if any check degrades post-deploy Full activity log available; you can revert any change manually at any time
04 · Rollback & failure handling

What happens if a fix makes things worse

Before deploying any fix, NightSteward takes a rollback snapshot. If a post-deploy health check fails — or if you manually flag an issue — the rollback is triggered immediately. Here's the exact sequence.

1
Pre-deploy snapshot
Before applying any change, NightSteward records the current commit hash, branch state, and a baseline health reading (response times, error rates, uptime status). This snapshot is stored for 30 days.
2
Post-deploy health check
After the fix deploys, NightSteward immediately runs health checks against the same endpoints it monitored before. It checks for: error rate increase, latency regression (>20% degradation), new 5xx responses, or frontend failures that weren't present before.
3
Automatic rollback if checks fail
If any post-deploy check fails within 10 minutes of deployment, NightSteward automatically reverts to the snapshot commit. A revert PR is opened and you're notified with full context about what triggered the rollback and what the health degradation looked like.
4
Manual revert available always
Even if automated checks pass, you can trigger a manual rollback from the NightSteward dashboard at any time within 30 days. The revert creates a new PR — it never force-pushes to any branch.
5
Post-incident report
After any rollback (automatic or manual), NightSteward generates a post-incident report: what was changed, what failed, why it was reverted, and what a better fix might look like. Available in your dashboard and via email.
05 · Data handling

What NightSteward reads, stores, and never touches

Straightforward answers to the questions that matter for a tool that has access to your production code.

📥

What we read

Source code files relevant to diagnosed errors (we don't read your entire repo). HTTP response data from monitoring checks (status codes, headers, timing). App URL and basic metadata you provide. Error logs you explicitly share with us.

💾

What we store

Monitoring history: uptime, response times, incident records. Fix proposals and their outcomes. Your account credentials (email, encrypted tokens). GitHub OAuth token — encrypted at rest using AES-256-GCM.

🚫

What we never access

Your database or any application data. Your users' personal information. Your .env files or secret keys (we explicitly skip these). Payment processor credentials or banking information. Any repo or branch you haven't granted access to.

🗑

Data deletion

Delete your account and all data is removed within 7 days. Revoke GitHub OAuth and we lose code access immediately — no residual copies of your code are retained after revocation.

AI model usage: When you're on a Pro tier, NightSteward uses an AI model to diagnose issues and generate fix proposals. On BYOK (Pro · $19/mo), your own OpenAI or Anthropic API key is used — NightSteward never sees your key, it's stored encrypted and used server-side on your behalf. On Pro Included ($49/mo), we use Anthropic's Claude model via our account. Code snippets sent for diagnosis are not used to train models and are not stored beyond the session.

Start with URL-only monitoring. No strings attached.

Free tier requires nothing but your app's URL. Upgrade when NightSteward proves its value — not before.

Start free →