wololo
Get access

Security Overview

Wololo is built on a no shared credentials model. Your code, your keys, your GCP project — we never hold your secrets on our infrastructure.

Core principles

  • You own the keys. Your GitHub App private key lives in your GCP Secret Manager, not ours.
  • Short-lived tokens only. Agents never hold long-lived credentials. All tokens have a 1-hour TTL and are minted fresh on every operation.
  • Explicit repo scope. You choose which repos the App can access during installation — Wololo cannot touch anything outside that scope.
  • Invite-only access. Platform access is gated by a signed invite code. No public sign-up.

Security sections

  • GitHub App model — how Pattern B (per-org App) works and why it's more secure than a shared platform App
  • Invite gate — how invite codes are issued, validated, and consumed
  • Access control — the access_granted guard on all provision routes