Short list of things you can't do with the CodeRadar managed plane. Self-host as you please — Apache 2.0 doesn't include this list.
If your application captures user content, breadcrumbs, or other PII, you must have the user's permission (or a lawful basis) to send it to CodeRadar. The default beforeSend hook scrubs the obvious things; that doesn't relieve you of your data-protection obligations.
The pipeline is project-scoped, but if you find a way to manufacture events that show up in another tenant's project, that's a misuse of the system. Report it (it's a security bug).
The auto-fix pipeline reads source, generates patches, and opens PRs. Using it to attempt prompt injection, exfiltrate model outputs, or train a competing model is out of bounds.
Each project has a quota for normal-shaped traffic. If you want to load-test, ask first; we'll set up a synthetic project on a non-production cluster.
Tokens are scoped to a list of projects and identify a person. Sharing them dilutes the audit trail. Create separate tokens for separate uses.
If your application's stack traces include the literal source of malware, exploit chains, or PII for sale, we'll suspend the project pending review.
To report misuse: [email protected]. To report a security bug: [email protected].