> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flashduty.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Apps

> Apps is where you manage authorized external applications in AI SRE. Each application appears as a card — currently GitHub (with room for GitLab and others later). Once authorized, AI SRE can work directly inside your code repositories: read code, investigate changes / commits / PRs, trace a PR, and (when you ask) fix a bug, open a PR, or file an issue. Its main job is to let the cloud sandbox reach your repositories safely.

<Info>
  **Private beta**: AI SRE is currently in private beta. Pro or higher accounts can apply for free beta access through the [AI SRE private beta application form](https://c9xudyniiq.feishu.cn/share/base/form/shrcn0ngCfdoygiaHnAT80BfZiH); after approval, Flashduty will add your account to the whitelist. Features and the UI may change during the beta.
</Info>

## Overview

***

**Apps** is where you manage **authorized external applications**. Each external application appears as a **card** — you authorize it, manage its installations, and enable / disable or revoke it right from its card.

Today there is exactly one app under Apps — **GitHub** (with room to add GitLab and other code-hosting platforms later). Once you authorize GitHub, AI SRE can **work directly inside your code repositories** during a session: understand and explore code, investigate recent changes / commits / PRs, trace a PR from a change ticket, answer questions about a codebase, and — when you ask — fix a bug, open a PR, or file an issue. It all runs through native `gh` / `git`, like an engineer working in a terminal.

## Main Scenario: Letting the Cloud Sandbox Reach Your Repositories

***

AI SRE sessions run in a **Flashduty cloud sandbox** by default. The sandbox is a clean, isolated, ephemeral environment that **carries none of your git credentials** — which is exactly what an App solves. Once you authorize the GitHub App, the agent inside the sandbox can clone your repositories, read diffs, and open PRs, **without you handing it any password or token**; its access is limited to the repositories you granted, with only the least privilege needed to do the work. **This is what the GitHub App is mainly for.**

<Note>
  **BYOC (self-hosted Runner) generally doesn't need it.** A Runner runs on your own machine, which usually **already has `gh` / `git` credentials configured** (you work with repositories on it every day). In that case the agent just uses the host's own `gh` — **no GitHub App authorization needed**. (If the host happens to have no `gh` configured, authorizing the App lets BYOC sessions use it too.) For the differences between environments, see [Environments (BYOC)](/en/ai-sre/environments).
</Note>

## Where to Find It

***

Go to **Plugins → Apps**. Apps is the **first and default** tab in the Plugins area — opening Plugins lands you here.

<Note>
  Viewing the Apps tab requires the appropriate permission; without it, the tab is hidden. Authorizing, revoking, and enabling / disabling each require their own action permission — when you lack one, the corresponding button is shown disabled.
</Note>

## The GitHub App

***

The following uses **GitHub**, the only app available today, to walk through authorization, installation management, and adjusting repository access.

### Connecting a GitHub Organization

Start the authorization from the GitHub card. The whole install completes in a popup through GitHub's official install page, and the list refreshes automatically after the callback.

<Steps>
  <Step title="Start the authorization">
    Click **Authorize** on the GitHub card (if the App already has an installation, the button reads **Connect another organization**). The frontend opens a popup that loads GitHub's official install page.
  </Step>

  <Step title="Pick the organization and repositories on GitHub">
    Choose the **organization** (or personal account) to install into, and grant a repository scope — **All repositories** or **Only select repositories**. The set of granted repositories determines which repositories AI SRE can access afterward.
  </Step>

  <Step title="Auto-refresh after you confirm">
    After you confirm on GitHub, the popup closes automatically, the Apps page shows **Authorized** and refreshes the installation list, and the new organization appears.
  </Step>
</Steps>

<Note>
  If you are not the owner of the organization, GitHub routes the request to the organization owner through its request-to-install approval flow; the installation activates only after approval. Which organization to install into and which repositories to grant are decided entirely on GitHub's install page — Flashduty does not select on your behalf.
</Note>

### Managing Installations

Each authorized organization adds one installation row under the GitHub card. Each row shows:

| Element           | Description                                                           |
| ----------------- | --------------------------------------------------------------------- |
| Organization name | The GitHub organization / account login the installation lives on     |
| Status dot        | A colored dot plus a label: **Connected**, **Suspended**, **Revoked** |
| Repository count  | The number of repositories currently granted to this installation     |

<AccordionGroup>
  <Accordion title="Enable / Disable (suspend / resume)" icon="toggle-on">
    The toggle in the top-right of the card switches between Enabled and Disabled. **Disable = suspend**: while suspended, the agent can no longer reach those repositories — but the **GitHub installation itself is kept**, so you can re-enable instantly with one click, without going through the GitHub authorization again. An App counts as "enabled" as long as it has at least one **Connected** installation.
  </Accordion>

  <Accordion title="Revoke" icon="trash">
    Click **Revoke** on a row; after you confirm, the installation is set to **Revoked** and AI SRE can no longer access that organization's repositories. A revoked installation is hidden from the card; re-authorizing the same organization restores it.
  </Accordion>
</AccordionGroup>

<Note>
  **Suspend** vs. **Revoke**: suspend turns it off temporarily, keeps the GitHub installation, and resumes with one click; revoke disconnects this authorization and requires going through the GitHub authorization again to use it.
</Note>

### Adding or Adjusting Repository Access

The organization is already connected, but you want AI SRE to reach more of its repositories — you don't need to revoke and reconnect. In **Plugins → Apps**, click **Authorize / Connect another organization** again for that organization (or open the App's **Configure** page on GitHub directly). GitHub shows the **Repository access** screen; select the additional repositories and save, and AI SRE **re-syncs** the granted repository list automatically — the new repositories become available without re-creating the connection.

<Note>
  **Fallback**: if a newly added repository still reports "cannot access / 404 / 403" in a session, open the App's page on GitHub (e.g. `github.com/apps/flashduty`) → **Configure** → select the organization → scroll to the **Danger zone** → **Uninstall**. Then return to **Plugins → Apps** in Flashduty and authorize the organization again, granting **all** the repositories you need in one pass.
</Note>

## How AI SRE Works Inside a Repository

***

After authorization, you need no extra configuration. When you ask AI SRE to work on a task in a repository during a session, it works like an engineer joining the project — understand first, then change, then verify. This behavior is governed by the built-in `github` Skill.

**Typical actions**

* **Enter the repository**: clone it into its own workspace and read the repo's own conventions first (`CLAUDE.md`, `AGENTS.md`, `README`, `CONTRIBUTING`).
* **Investigate changes / PRs**: use `git log`, `gh pr list`, `gh pr view`, `gh pr diff`, `gh search prs` to trace a PR named in an incident or change ticket, see what a release shipped, or read a diff before deciding anything.
* **Change and propose**: create a branch, make a minimal diff, open a reviewable PR with `gh pr create`, or file an issue with `gh issue create`, and report the PR / issue URL back to you.

**Hard guardrails** — the agent never crosses these:

* **Never force-push** (`git push --force`), and **never push the default branch directly** — always a branch + PR.
* **One logical change per PR**, kept reviewable; if a change balloons beyond a focused diff, it stops and hands the analysis back to you.
* Never delete branches, close others' issues / PRs, or change repository settings; never commit secrets, credentials, or build artifacts.

<Note>
  If the agent reports it cannot access a repository in a cloud session, it usually means the account has not authorized the GitHub App, or the target repository was not granted — just authorize and grant it under **Plugins → Apps**. The agent does **not** ask you for any token.
</Note>

## Permissions & Scope

***

GitHub App **authorize** and **revoke** are **account-level** operations. **The account is the only security boundary**; the team here is just an ownership / audit tag: any account member with the corresponding permission can authorize a new organization, revoke any installation, or enable / disable the whole App; when a session needs a repository, it obtains access from **any connected installation in the account**. Members of an account share one authorization — consistent with AI SRE's "usage = account-level, ownership = team tag" model for other resources.

## Related Pages

***

<CardGroup cols={2}>
  <Card title="MCP (External Tools)" icon="plug" href="/en/ai-sre/mcp">
    Connect external tools and data sources via the Model Context Protocol.
  </Card>

  <Card title="Console" icon="comments" href="/en/ai-sre/sessions">
    Watch the agent clone a repo, read a diff, and open a PR during a session.
  </Card>

  <Card title="Environments (BYOC)" icon="server" href="/en/ai-sre/environments">
    BYOC sessions use the runner host's own gh and generally don't need the GitHub App.
  </Card>

  <Card title="Skills" icon="wrench" href="/en/ai-sre/skills">
    The built-in github Skill governs how the agent works inside a repository.
  </Card>
</CardGroup>
