Code

App Permissions

How Cuitty Code Apps request, receive, and use granular permissions.

Cuitty Code Apps use least-privilege grants. The app manifest declares requested resources, actions, and reasons. The installer approves those permissions for a specific target.

At runtime, the app uses an installation token. Cuitty maps that token to the installation and checks the requested operation against SpiceDB before doing any work.

Upgrade behavior

When a new app version asks for more access, Cuitty shows a permission diff before upgrade. Existing installs do not silently receive new privileges.

Denied operations

If an app installed to one repository tries to publish a package or change an organization registry policy, the request is denied unless that grant was explicitly approved for the install.