Trust & Security
Nothing leaves Atlassian. Nothing is changed automatically. Every flag has a reason.
Built entirely inside Atlassian
StagBane runs entirely on Atlassian Forge- Atlassian's hosted, sandboxed app runtime for Confluence Cloud. There is no developer-owned server and no external network calls. Your content never leaves Atlassian, not even as analytics.
What it reads- and what it keeps
The daily scan reads page metadata and internal links from the spaces you choose to audit. When a page's version changes, the scanner reads the body once- solely to extract the links on that page- and discards it. Page text is never stored.
What is stored: staleness signals, band placement, and page-to-page link relationships. The relationships between pages, not their content.
No telemetry. No analytics. No PATs.
StagBane records nothing about how you use it. There is no usage tracking, no event pipeline, no analytics SDK. No Personal Access Token is ever required or requested.
Non-destructive by design
StagBane surfaces pages that may need attention. It never archives, deletes, rewrites, or automatically changes page content. The actions available to admins in the queue are:
- Add or remove a
needs-reviewworklist label. - Mark a page Verified Current (records a review date and adds the
verified-currentlabel). - Request Owner Review (posts a templated footer comment, governed by a daily Request Budget so notification storms are structurally impossible).
- Open a one-click Rovo agent audit.
Humans decide and act. The app never acts on your content on its own.
Explainable and deterministic
Every page in the review queue is placed there by an explicit, ordered rule set- the first rule that matches wins. Every row can name that rule and state the reason in one plain sentence. There is no numeric health score, no composite rating, and no black-box ranking. "Why is this page here?" always has a short, literal answer.
The agent reads as you
The Page Health Auditor Rovo agent reads Confluence pages as the user who asked. It can only see pages that user can already open, and it holds no elevated access of its own.
Its surfaces fall into three categories: read-only audits (auditing a page, comparing pages, finding overlapping pages), confirm-to-act actions (taken only on your explicit confirmation, and only what a queue button already does), and admin-only views (like the stale-page list, refused to non-admins before any data is read).
The agent's verdicts are chat-only. They are never written to the database, never written to the review queue, and never stored. Each verdict cites the page version it judged. Agent queries run on Atlassian's own Rovo platform, using your organization's Rovo credits- inside Atlassian, not developer-controlled infrastructure.
Restricted pages: disclosed, not hidden
The daily scan indexes restricted pages, because staleness applies regardless of who can view a page. The admin-only review queue can show a site admin the title, owner, and staleness signals of a restricted page- never its body content.
- The queue is gated to site admins, who already hold latent access to restricted content on their site.
- The Rovo agent applies a stricter rule: it reads as the asking user and cannot surface a restricted page to someone who cannot already open it.
What readers see- and the advisory AI marker
Every audited page carries a reader-facing byline badge, and it is positive-only. Readers see a "Verified" badge only when a human vouched for the page within the review window. Other monitored pages show a neutral "Page health" marker; excluded pages show "Not monitored." Readers never see a page's Band. The badge shows verification recency, not edit recency- a page that is merely Healthy is never labeled "Verified."
A page can also be flagged with an advisory rovo-ignore marker, set from the queue or by an admin's confirmed instruction to the agent. This marker is advisory: StagBane's own agent and its badge honor it. It does not remove a page from native Rovo, because no native per-page exclusion exists- StagBane flags pages for AI governance with an advisory marker, it does not exclude pages from Rovo. Hard exclusion is a native Confluence page-permissions setting, not something StagBane can grant.
What happens when you uninstall
Labels and Review Request comments StagBane applied to your pages belong to those pages. They remain after uninstall and can be removed manually.
StagBane's own stored data- metadata, computed signals, link relationships, and the review-request log- is soft-deleted at uninstall. A 21-day relink window, per Atlassian's current policy, lets a reinstall recover the prior data.
Security certifications
StagBane- the app and its developer- does not hold SOC 2, ISO 27001, or other security certifications. What is accurate: the app runs entirely on Atlassian's platform, which carries Atlassian's own certifications. Customers who require third-party app certifications should factor this into their procurement assessment.
The 10 permissions, each with a reason
Confluence asks you to approve 10 permission scopes at install. Eight are read-only. Two are write scopes, and both are narrow: one writes labels, one writes comments. No scope touches page content, page body text, or anything outside Confluence.
| Scope | Type | Why it's needed |
|---|---|---|
read:confluence-content.summary | Read | Content summaries and metadata used to compute signals and ground the agent's page reads. |
read:page:confluence | Read | Page metadata for every page in your audited spaces; reads the body only to extract links when a page's version changes. |
read:label:confluence | Read | Reads the verified-current, pha-evergreen, and needs-review labels the scan depends on. |
read:space:confluence | Read | Maps a space's key to its id, so link resolution can tell whether a link points inside an audited space. |
read:content-details:confluence | Read | Checks whether a page owner's account is still active, and powers the agent's find-overlapping-pages search. |
read:user:confluence | Read | Confirms the current user's admin status on every request- the gate behind the queue, the agent's confirm-to-act actions, and its admin-only views. |
read:comment:confluence | Read | Reads Review Request reply threads so an owner's "Verified" or "Stale" reply can resolve the request. |
write:label:confluence | Write | Applies or removes the needs-review and verified-current labels- only on an explicit admin click or a confirmed agent action. |
write:comment:confluence | Write | Posts the templated Review Request footer comment- only on an explicit admin click or a confirmed agent action, governed by the Request Budget. |
read:chat:rovo | Read | Required by the Rovo action module so the Page Health Auditor agent can be called from Rovo chat. |
No egress scopes. No external API scopes. No scope that writes page content.
Full data-handling detail lives in the privacy policy. Security questions: support@stagbane.com.
See it before you decide to trust it.
Install from the Atlassian Marketplace and choose which spaces to audit. Nothing else is touched.