Commentary gives Markdown, static HTML, Forms, Knowledge Brain, draft, and opted-in preview-app reviews a document-first workspace while keeping repository access, private content, provider sync, and result ownership tied to the systems that own them.
The short version: provider permissions stay authoritative, private content requires authenticated access, Forms results stay permissioned, rich rendering is sandboxed or bridged, public Brain readers hide private review data, and Live Preview Reviews keep target capture bounded.
These are the product boundaries reviewers and repository owners should understand before adopting Commentary.
GitHub and Azure DevOps remain authoritative for repository content, branches, pull requests, identity, and provider-side submissions.
App-native threads are the primary review record in Commentary, with provider comments synchronized as representations through explicit workflows.
Draft Review Sessions, Forms, and static HTML previews keep pre-Git or generated content in Commentary review surfaces unless a user deliberately shares, exports, or publishes it.
Review-hosted Forms keep source ownership and result visibility explicit across PR or branch, draft review, and response-link modes.
Live Preview Reviews require customer-owned frameable previews; SDK selector comments use origin-bound messaging and screenshot comments use explicit cropped capture.
Grouped details for the review surfaces that most often matter in adoption and procurement conversations.
Commentary may render and cache repository content for review, but the repository owner and Git provider remain authoritative for source content, branches, PRs, and provider-side comments.
Private GitHub content is not available through anonymous public routes. A signed-in viewer needs provider access through OAuth, GitHub App authorization, Microsoft Entra for Azure DevOps, or a configured personal access token path.
Static HTML files render in a sandboxed Preview mode with Raw source nearby. Commentary blocks active behavior such as scripts, event handlers, dangerous URLs, and active embeds so document review does not become arbitrary page execution.
Public Brain readers expose read-only public repository or snapshot content and keep repository ownership visible. App-native review comments and private review data are not rendered in public reader pages.
Draft Review Sessions are Commentary review surfaces for Markdown or HTML that is not ready for Git. Draft content is not submitted to a Git provider by default, and deleted sessions are removed from active storage under the retention policy.
Review-hosted Forms use authenticated submissions by default. Anonymous response links only omit submitter identity when explicitly configured. PR and branch result listings rely on trusted source access, draft results default to the draft owner, and response-link results belong to the response-link owner. Custom renderers are sandboxed or submit through bounded bridge messages rather than running arbitrary repository JavaScript in the first-party app DOM.
Canonical Forms result files and writeback actions are optional, explicit workflows. GitHub writeback uses a separately configured write-capable app; the default GitHub App permissions for review content do not become broad repository write permissions.
Live Preview Reviews use the installed Commentary SDK and review session setup. Commentary accepts origin-bound review messages from opted-in apps and does not scrape arbitrary production sites for UI targets or collect page context without app-owner opt-in.
Commentary developer tokens are intended for review automation against Commentary APIs, OpenAPI routes, and MCP review tools. Provider-backed actions still depend on connected-provider permissions.
Commentary caches the review data needed to render documents, preserve app-native threads, and re-anchor feedback through source changes. Usage telemetry must stay privacy-safe without raw provider identity, raw repository URL, or a second raw PostgreSQL usage sink. Privacy, subprocessors, retention, and enterprise support details are linked for procurement review.
Use these routes when security, privacy, or procurement review needs more detail.
Plain-language policy details, application protections, retention notes, and security contact information.
How Commentary collects, uses, retains, and discloses account, review, and telemetry data.
Current third-party infrastructure and service providers used to operate Commentary.
Report security concerns to security@commentary.dev with reproduction details and expected impact.
Start with a public PR, read the docs, or contact us when a security or access question is blocking adoption.