Security

Commentary uses provider-native authorization as the default sign-in path, including GitHub App user authorization and Microsoft Entra authentication for Azure DevOps. Commentary also supports personal access tokens where workflow requirements make that necessary.

Authenticated actions, such as commenting, replies, and private repository access, depend on the connected provider identity and repository access available to the user. Interactive review actions continue to run as that connected provider user.

GitHub remains the source of truth for GitHub repositories, pull requests, branches, and provider-side review submission. Public GitHub PRs can be viewed read-only where provider access and rate limits allow it. Private repository content requires authenticated provider access.

PR-backed review threads are app-native records in Commentary and stage locally as provider-pending until a reviewer submits the GitHub review event.

Draft Review Sessions are private Commentary review surfaces for Markdown or HTML that is not yet ready for Git. Draft content is not submitted to GitHub by default.

Live Preview Reviews require an app owner to opt in by installing and configuring the Commentary review SDK. Commentary does not use Live Preview Reviews to scrape arbitrary websites.

Commentary developer tokens are intended for review automation against Commentary APIs, OpenAPI routes, and MCP review tools. Provider-backed actions still depend on the connected provider identity and repository access available to the user.

Personal access tokens remain an advanced provider access path where OAuth or GitHub App authorization is not enough for a workflow.

Commentary applies baseline browser and transport protections including a Content Security Policy, frame restrictions, `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, referrer controls, and HSTS on secure requests.

Write-heavy routes such as auth callbacks, PAT validation, review-thread mutation, refresh, review submission, and webhook ingestion are rate limited and enforce bounded request-body sizes.

Commentary also maintains privacy-safe request telemetry and operational monitoring intended to detect service failures and abnormal behavior quickly.

Commentary uses Azure-backed infrastructure to host and operate the service. Auth tokens and refresh material are stored encrypted at rest using the service encryption key configured by operators.

App-native review state is separated from raw provider state where practical so Commentary can preserve local review history, re-anchor comments after source changes, and stage provider sync safely before submission.

Commentary applies operational retention windows to limit long-lived auth and diagnostic data. OAuth state is retained for 1 day, expired sessions and revoked or expired provider connections for 30 days, webhook deliveries for 30 days, background jobs for 14 days, thread sync events for 90 days, thread anchor events for 180 days, and refresh events for 30 days.

Commentary also supports support-driven repository review-data deletion when a workspace owner needs data removed outside the standard retention schedule.

Deleted Draft Review Sessions are removed from active relational storage and their raw/rendered artifacts are queued for purge from active artifact storage within 24 hours. This active-storage deletion does not overrule Git provider retention, local copies, or platform backup retention windows.

To report a security concern, contact security@commentary.dev and include enough detail for reproduction, impact assessment, and a secure response process.

Commentary also publishes a machine-readable contact record at `/.well-known/security.txt`.