Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pullfrog.com/llms.txt

Use this file to discover all available pages before exploring further.

GitHub is the single source of truth for permissions. You never configure access controls in Pullfrog—it all comes from GitHub.

How it works

All Pullfrog users sign in with GitHub. In the console, users can only see repos and organizations they already have access to. There is no separate user list, invite step, or seat assignment in Pullfrog—the first time a teammate signs in, no extra setup is required. This is structurally enforced by Pullfrog’s backend architecture. Pullfrog does not synchronize data between GitHub and our own servers. The backend is largely stateless. When you sign in, we use a user-scoped token to fetch fresh data directly from the GitHub API and use that data to render the user’s console.

The organization console

Anyone in your GitHub organization can sign into Pullfrog and view the org console at pullfrog.com/console/<org>. They’ll see every repo in the org that they personally have access to on GitHub. Outside collaborators—people who have access to specific repos in the org but aren’t members of it—see a stripped view at pullfrog.com/console/<org> that lists only the repos they collaborate on, with no billing or other org-wide cards. They use the per-repo console for everything else. A handful of cards that govern money are restricted to GitHub org admins (and the account owner, for personal accounts). These cards stay in place for non-admins so navigation and anchor links still resolve, but the body is replaced with a short “ask an admin” message and marked with a small lock icon next to the heading. The underlying API endpoints enforce the same gate server-side, so financial data is never sent to non-admin browsers in the first place. The admin-only cards are:
  • Billing — plan, usage this month, payment methods.
  • Model costs — Pullfrog Router credit balance, auto-reload schedule, provider API keys.
  • Billing history — invoices and credit ledger.

The repo console

Anyone with access to a specific repo on GitHub can view its console at pullfrog.com/console/<org>/<repo>—including outside collaborators who aren’t members of the parent org. What they can do there follows GitHub’s repo permission ladder.

Repo read

Anyone with read access to the repo can:
  • Open the repo console.
  • Trigger runs from the prompt box.
  • View active and historical workflow runs.
A read-only callout replaces the settings panel.

Repo write

Adds the ability to edit most of the repo settings panel:
  • Agent — model selection and per-model BYOK key status.
  • Hooks — setup, post-checkout, and pre-push scripts.
  • Modes, Learnings, Flags.
  • All Automations — Mentions, Review PRs, Enrich Issues, Label Issues, Address reviews, Fix CI failures.
  • Danger zone — disable Pullfrog for this repo (and re-enable it later).

Repo admin

Anything that touches secrets or shell-level access requires repo admin. These cards still appear for write users so navigation and anchors resolve, but the body is replaced with a Lock icon + short “ask an admin” message.
  • Secrets — add and delete repo-level secrets.
  • Security — shell isolation toggle and environment allowlist.

GitHub org admin

A separate axis from repo permissions. A few flows surface differently for org admins versus everyone else, marked with the same lock icon used in the org console:
  • The Learnings card on a free-plan private repo is gated behind billing; admins see an “Enable billing” CTA, non-admins see a short “ask an admin” message in its place.
  • The model selector shows a Pullfrog Router funding hint that points admins at the org billing flow and tells non-admins who to ask.
  • Account-level (org) secrets can only be added or deleted by org admins. Repo admins who aren’t org admins still manage their own repo’s secrets.
Admin status is read live from GitHub: a user is treated as an admin if they have the admin role on the GitHub org (or they own the personal account, for personal installs). Promote or demote them on GitHub and Pullfrog reflects the change on the next request.

What this means for your org

  • Real-time access — When users are added, removed, or have their roles changed on GitHub, Pullfrog reflects this instantly. No permission drift.
  • Scoped visibility — Org members only see repos they have access to on GitHub.
  • Teams — No need to recreate your GitHub team structure.
  • Accurate billing — No stale seats or phantom users.