1. What Slop Stopper does
Slop Stopper is a GitHub App that analyzes pull requests, generates deterministic heuristic review feedback, and posts concise comments inside GitHub PRs.
The product is built for operational code review signal. It is not a general-purpose analytics platform, customer tracking system, or security scanner.
2. Data Handling & Telemetry Policy
Processing Model
Slop Stopper uses a transient processing model. All repository diffs and file patches are fetched, analyzed, and scored entirely in memory during webhook execution. They are never committed to persistent storage and are discarded immediately after analysis is complete.
Transient Data Accessed (Never Stored)
| Data Type | Source | Purpose | Retained? |
|---|---|---|---|
| PR diff patches | pulls.listFiles API | Analyzed by heuristic engine to count additions/deletions | ❌ Discarded |
| File contents/patches | GitHub API response | Pattern matching for code quality & smell detection | ❌ Discarded |
| Webhook payload | GitHub Event delivery | Extract pull request number, commit SHA, and repository details | ❌ Discarded |
Persistent Data Stored (Operational Telemetry)
We persist only structured operational metadata to run the service, verify performance, and prevent duplicate reviews:
| Table | Data Stored | Operational Purpose | Retention |
|---|---|---|---|
| github_installations | Installation ID, account login, account type, selection status | Authenticate active repositories and respect uninstalls | Until uninstall / request |
| pr_reviews | Repository full name, PR number, commit SHA, author, score, risk severity | Score distribution tracking and preventing duplicate analysis runs | Until request |
| review_findings | Finding key, finding title, severity, file path | Tracking frequency of common code quality issues | Until request |
| system_events | Event type, status, duration, error messages | Performance checking, debugging rate limits, and failure auditing | 90 days (auto-purge) |
Data We Never Collect or Store
| Exclusions | Security / Privacy Assurance |
|---|---|
| Full Repositories | We never clone, fetch, or host repository source archives. |
| Raw PR diffs / patches | Only loaded in ephemeral server memory and deleted immediately post-analysis. |
| Credentials / Tokens | No user tokens are stored. The app relies exclusively on short-lived GitHub App installation tokens. |
| AI / ML Datasets | No code or telemetry is shared with AI providers (OpenAI, Anthropic, Google) or used for model training. |
AI Usage & Model Training Policy
- No repository data or telemetry is shared with third-party AI companies.
- We do not call external LLMs or black-box model inferences during reviews.
- We maintain a strict Zero AI Training policy. Your code never feeds any machine learning models.
- All analysis is generated deterministically by open, auditable rule files written in TypeScript.
3. GitHub App Permissions Justification
To provide review comments without requesting unnecessarily broad access, Slop Stopper adheres to a strict principle of least-privilege.
Requested API Permissions
| Permission | Scope | Strict Justification |
|---|---|---|
| Pull Requests | Read & Write | Read: Required to call pulls.listFiles to fetch PR diff files for heuristic analysis.Write: Required to call issues.createComment to post review verdicts. |
Webhook Event Subscriptions
| Event | Actions Filtered | Justification |
|---|---|---|
| pull_request | opened, synchronize, reopened | Triggers the analysis engine automatically when a developer submits or updates code. All other events are ignored. |
| installation | created, deleted | Updates installation context in the database, verifying the app only calls APIs where it is actively authorized. |
Permissions We Explicitly Exclude
We never request the following permissions because they exceed our transient, PR-focused scope:
| Excluded Permission | Security Reason |
|---|---|
| Repository Contents | We do not read repository file trees. We only analyze raw files altered within the PR diff scope. |
| Administration & Settings | The app does not modify repository names, settings, branch policies, or organization members. |
| Issues Write | We do not modify, close, or create standard repository issues. PR Comments scope handles all output. |
4. Infrastructure & Third-Party Processors
To maintain high uptime and database durability, Slop Stopper utilizes the following highly audited cloud services:
- Vercel: Hosts serverless API handlers. Webhook processing and cryptographic signature verification occur in Vercel Edge/Serverless functions.
- Supabase (PostgreSQL): Stores operational telemetry records, system diagnostics, and installation scopes.
- GitHub API: Provides repository webhooks, lists PR files transiently, and displays completed reviews.
No telemetry or metadata is shared with marketing networks, data aggregators, advertising platforms, or any third parties.
5. Security Practices
- All web traffic is encrypted using HTTPS and TLS 1.3 protocols.
- GitHub App access relies entirely on short-lived installation tokens. Private key secrets are safely isolated in server-side environment variables.
- Webhook Signature Verification: Every single incoming payload must carry an HMAC SHA-256 signature matching the shared
GITHUB_WEBHOOK_SECRET. Unsigned or invalid requests are instantly rejected via a timing-safe comparative engine to block payload tampering.
6. User Controls & Deletion Rights
Uninstall Behavior
Uninstalling the GitHub App instantly revokes all API access. GitHub invalidates the installation tokens immediately and pauses webhook deliveries. No further data processing occurs for that repository.
Data Deletion Request Process
You may request complete erasure of all operational telemetry records associated with your account, organization, or repositories. Upon receiving a request, we will permanently purge all corresponding rows from review_findings, pr_reviews, and github_installations databases within 30 days.
Please email the operator with your account username or installation details:
zacrgamble@gmail.com
7. Public Alpha Note
Slop Stopper is in active, public alpha. Stored database fields and logging details may adapt as we optimize performance and build out rate-limit handling. Our baseline commitment is to maintain absolute transparency and strictly keep data collection limited to the basic parameters listed above.