Repo Settings — per-repo overrides and the danger zone
For: all
Tier: free+
Time: ~4 min
Why you'd do this
Most compliance config sits on the Compliance Profile (account-level). But each repo also has its own knobs: risk classification override (if your AI judgment differs from the scanner's), per-repo role selection (a Provider repo and a Deployer repo on the same account), and the danger zone (unlink, transfer, delete). This page is where those live.
Before you start
- OWNER role on the repo for danger-zone actions; members see read-only
- Awareness that unlinking is reversible (re-attach later) but DELETE is permanent — scan history, evidence, and attestations all gone
Step 1
From the repo overview, click the Settings tab. The page splits into 4-5 cards depending on tier: Repo Identity → Scan Configuration → Role Override → Risk Classification → Danger Zone (owner only).
What you'll see: Repo settings page with cards stacked vertically. The breadcrumb shows Dashboard / <repo>; the Settings tab is highlighted.
Step 2
Repo name — the human-readable label shown in sidebars and PDFs. Renaming here only changes the dashboard label; the underlying project_id is immutable so existing scans / evidence stay attached.
Project ID — read-only UUID written to .compliancelintrc during cl_connect. Useful for support tickets and API calls.
Connected since — first cl_connect timestamp.
Step 3
The Profiling Wizard sets per-repo roles. The Role Override card lets you adjust them WITHOUT re-running the full wizard — useful for one-off changes (e.g. a Provider repo where a single dev is also wearing the Deployer hat for an internal pilot).
Multi-select: Provider / Deployer / Importer / Distributor / Authorised Representative. Saving recalculates the relevant obligation set immediately for the latest scan; older scans keep their original role snapshot for audit.
What you'll see: Same settings page from a member's perspective — the role checkboxes are disabled with a "Owner only" hint.
Step 4
The scanner classifies each repo as prohibited / high-risk / limited-risk / minimal-risk / unknown based on detected imports + Annex III mapping. The Risk Classification card lets you OVERRIDE this if your legal judgment differs.
When override ≠ scanner judgment, a yellow "AI vs. Human risk classification mismatch" banner appears on the repo overview naming both values. The banner clears as soon as the next scan agrees with your override (typical) or you remove the override (rare).
Manual override is sticky across re-scans — the scanner never silently demotes a repo from "high-risk" to "limited-risk" if you've manually classified it as high-risk.
Step 5
Owner-only. Three actions:
Unlink repo — removes the repo from the dashboard but preserves all data. Re-attaching later via cl_connect restores the same project_id + scan history. Use this when downgrade lock-state forces you to drop one repo to keep others active.
Transfer ownership — (planned, not yet shipped 2026-04-29). Will let an owner pass primary ownership to another invited user.
Delete repo PERMANENTLY — wipes scans, evidence, attestations, audit trail. Two-confirmation modal asks you to type the repo name. Cannot be undone. Use only when the project is genuinely dead AND you've exported the Compliance Time Capsule for record-keeping.
What can go wrong
- I changed the risk classification but the dashboard still shows the old value — The KPI cards on the dashboard read from the LATEST SCAN's classification — manual override applies to NEW scans. Re-run
cl_scan+cl_syncto make the override visible on the dashboard. The override IS persisted; it's just not retroactively rewritten into past scan rows (audit invariant). - I clicked Unlink by accident — how do I get the repo back? — Re-run
cl_connectfrom your IDE inside the same project directory. ComplianceLint matches byproject_id(preserved in.compliancelintrcif you didn't delete it; otherwise the dashboard shows orphaned-repo recovery flow). All scan history, evidence, and attestations re-appear automatically. - Member sees the Settings tab but most fields are disabled — Expected behavior — non-owner members can read all settings but cannot modify role overrides, risk classification, or use the danger zone. Ask the OWNER to change the field, or have them promote you to OWNER (multiple owners are allowed).
Related
Last updated: 2026-04-30