Copilot Audit — Quick Start

monsys.ai Copilot Audit is a separate module from AI observability. It pulls GitHub Copilot Business/Enterprise seat data + audit log via GitHub’s own admin API, stores usernames hashed, and bundles everything monthly into an Ed25519-signed evidence pack.

Who needs this? Companies that have rolled out Copilot Business or Enterprise to employees and fall under AI Act art. 26 (deployer obligations) or NIS2 art. 21.

1. GitHub PAT with the right scopes

In github.com → Settings → Developer settings → Fine-grained personal access tokens → Generate new token:

• Resource owner: your GitHub organisation (NOT your personal account)
• Expiration: 90 days recommended
• Organisation permissions:
  • Administration: Read-only (for audit log)
  • Members: Read-only (for seat list)
  • Copilot: Read-only if visible (plan-dependent)

Classic PAT alternative: manage_billing:copilot · read:audit_log · read:org scopes.

2. Connect the token in monsys

Dashboard → Copilot Audit → + Connect org

• Org login: the literal org slug from GitHub (e.g. acme-corp from github.com/acme-corp)
• PAT: paste — shown once in the UI, then AES-256-GCM encrypted in the DB

Right after “Connect” we do a GET /orgs/{org} probe to verify the PAT works. If it doesn’t:

• 401 → PAT mistyped or expired
• 403 → missing scopes (try curl https://api.github.com/orgs/{org} -H "Authorization: Bearer YOUR_PAT")
• 404 → wrong org name, or you don’t have membership

3. First pull within 1 hour

Our CopilotPullWorker runs hourly. On hub startup or shortly after connecting an org, one extra pull is attempted immediately.

What gets pulled:

• Seats (/orgs/{org}/copilot/billing/seats): full snapshot. Each pull replaces the previous snapshot for that org.
• Audit events (/orgs/{org}/audit-log?phrase=action:copilot): cursor pagination since the last pull. Idempotent on github_event_id.

Results show up in:

• Dashboard → Copilot Audit → SEATS table
• Dashboard → Copilot Audit → EVENTS table
• Dashboard → Copilot Audit → KPI strip at the top

4. Monthly evidence pack

On the 1st of each month you can generate a signed evidence pack via the same flow as AI observability:

POST /api/v1/copilot/evidence-packs
{
  "period_start": "2026-04-01T00:00:00Z",
  "period_end":   "2026-04-30T23:59:59Z"
}

Produces a tarball with:

pack-N.tar.gz
├── manifest.json        — schema_version: 2, module: "copilot"
├── manifest.sig         — Ed25519 over manifest.json
├── seats.jsonl          — one row per seat snapshot
└── events.jsonl         — every audit event in the period

Verify with the same tool as AI observability packs:

python3 tools/evidence-pack-verify.py pack-N.tar.gz \
    --expected-pubkey <your pinned monsys signing key>

5. Pricing

€1 per average seat per month. We snapshot active seats daily into copilot_daily_seats; at month end billing takes the average + ceil.

Example: 30 seats on Jan 1, scale to 35 on the 15th, stays 35.

• Avg = (30×14 + 35×17) / 31 ≈ 32.7 → rounded 33 seats
• January invoice: 33 × €1 = €33

Tenant with no connected org pays nothing.

6. What your employees SEE

Nothing. monsys.ai only talks to GitHub’s admin API; there’s no extension or agent on the developer’s workstation. We hash usernames at storage — if you (HR/compliance) need to look up someone, match the 4-char prefix against your own HR system. We don’t have the mapping.

Next steps

• Data model — which fields, which are hashed
• Evidence pack format — differences from AI observability packs