Code
App Permissions
How Cuitty Code Apps request, receive, and use granular permissions.
Cuitty Code Apps use least-privilege grants. The app manifest declares requested resources, actions, and reasons. The installer approves those permissions for a specific target.
At runtime, the app uses an installation token. Cuitty maps that token to the installation and checks the requested operation against SpiceDB before doing any work.
Upgrade behavior
When a new app version asks for more access, Cuitty shows a permission diff before upgrade. Existing installs do not silently receive new privileges.
Denied operations
If an app installed to one repository tries to publish a package or change an organization registry policy, the request is denied unless that grant was explicitly approved for the install.