Orchestration
Private local CI with a policy gate between GitHub and the workstation.
OctoCheck is a resident GitHub App controller that receives signed GitHub events, verifies repo and PR policy, queues trusted local work, runs CI or agent review lanes on local compute, and reports results back through GitHub Checks.
Self-hosted runners and SSH-from-Actions both blur the boundary between GitHub requesting work and a local workstation deciding what is safe to run.
A local controller plus GitHub App that keeps the trust boundary explicit: GitHub can request work, but the workstation policy decides what actually runs.
The controller supports CI, deploy-style jobs, sandboxed agent review, DeepClean analysis, and narrow guarded fix lanes.
GitHub sends a signed webhook, OctoCheck verifies the signature and repository policy, checks event, branch, PR, and fork rules, then queues accepted work by lane and resource class.
Runs execute in isolated worktrees or sandboxed workers, publish status back to GitHub Checks, and expose read-only run metadata through the local dashboard.
The output is GitHub-native feedback backed by private local compute, with one controller enforcing queueing, policy, sandboxing, and auditability.