GitHub App reference
The Kleio GitHub App's full permission list, the architecture of the integration, and every webhook event we accept are documented in github.com/kleio-build/kleio-github. That repo is the integration itself — open source, MIT — so what you read there is what runs.
Why this lives in another repo
Two reasons:
- Auditability. Anyone evaluating Kleio can read the integration source without an NDA, an account, or a sales call. The README is the contract; the code is the proof.
- Trust separation. The main Kleio app does not hold the GitHub App private key. A dedicated signer service (also in
kleio-github) mints scoped, short-lived installation tokens on demand. That boundary is enforced by deployment, not policy.
What you'll find there
- The full permissions table with the why for each scope.
- The webhook events Kleio subscribes to (
push,pull_request,installation,installation_repositories). - The architecture diagram showing the signer / app / GitHub trust boundary.
- The public Go interfaces (
WorkspaceLookup,RepoStore,CaptureEmitter) consumers implement.
Install / configuration flow
Covered here in Onboarding › Sign in & GitHub App, Onboarding › Configure, and Onboarding › Import — that's the path most users actually take. The repo README is for the deeper "what does this thing do, and why should I trust it on my repos" question.