Agree with the above commenter.

We would be happy to try except when it has write/merge permissions .

One click and auto merge are nice to have. Having the bot (and your company) able to deploy any code changes to production (by accident, via hack, etc) is a no go.

Suggest making them optional features and just having code comments/repo read version.

Not sure if it’s possible - but if the permissions could exclude specific branches that would be ok as well.

But needs to be no way a malicious actor could write/merge to main.