Use this checklist when moving the existing Superagent Security GitHub App traffic from the legacy brin-github service to landing.

Compatibility requirements

• Reuse the existing production GitHub App credentials as SECURITY_GITHUB_APP_ID, SECURITY_GITHUB_APP_PRIVATE_KEY, and SECURITY_GITHUB_WEBHOOK_SECRET.
• Keep the webhook path /api/github/webhook on the new host, or proxy the old host/path to the new route during cutover.
• Keep check names unchanged: Security scan and Contributor trust.
• Keep labels unchanged: pr:verified, pr:flagged, contributor:verified, and contributor:flagged.
• Keep comment markers and finding fingerprints unchanged so existing review threads and branch protection rules continue to work.

Cutover steps

1. Deploy the Supabase migration that creates the protection_* tables.
2. Configure the SECURITY_* environment variables in the landing deployment.
3. Import legacy finding dismissals:

PROTECTION_SQLITE_DB_PATH=/data/brin.db npm run migrate:protection-dismissals

4. Backfill installations and repositories:

curl -X POST https://your-app-domain/api/protection/installations/sync \
  -H "Authorization: Bearer $SECURITY_ADMIN_API_TOKEN"

5. Verify /app/protection/repositories shows the expected installed repositories.
6. Route a staging repository webhook to /api/github/webhook and compare check runs, labels, and comments with the legacy service.
7. Update the GitHub App webhook URL, or switch the old endpoint proxy, only after parity is confirmed.
8. Keep the legacy service available until new PR events, check re-runs, and finding dismissals have been verified in production.

Rollback

Point the GitHub App webhook URL or proxy back to the legacy brin-github service. Existing GitHub installations remain valid because the app identity has not changed.