<code/constitution>
Compliance-first GitHub AppInline on every PR11 frameworks

Compliance verified — in the diff.

Every PR. Every push. Every model card. Checked against SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act and 5 more. Inline. Before merge. Sealed in a cryptographic audit trail.

Install on GitHub →See a live checkPricing →

Free on public repos · BYOC for enterprise · 11 framework rule packs out of the box

Overview

Compliance work is reviewed quarterly — code ships daily. We close that gap.

Frameworks were written for spreadsheets, but software shipped in seconds. Boards approve a policy; developers merge code; auditors sample evidence; regulators audit the trail — and the four groups exchange artefacts that are weeks or months out of date. Code Constitution™ runs the framework rule packs inline on every pull request, composes safe auto-fix PRs for mechanical violations, and seals every decision in a cryptographic tamper-evident audit trail the auditor can pull by URL. The framework becomes part of the diff, not a sample reviewed three months later.

1
Status quo
Compliance runs off the side of the codebase.

Boards adopt policies. Auditors sample controls quarterly. Developers ship daily. The artefacts the four groups exchange are screenshots, spreadsheets and emails — produced after the fact, refreshed manually, never reconciled.

2
The gap
Nothing enforces the policy in the diff.

The code that ships breaks the policy that was approved. No one notices for months. By the time the auditor finds it, the regulator is already asking why. Frameworks (SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act, …) are not designed to run inline on every pull request.

3
How we close it
Inline checks + cryptographic evidence on every PR.

Install the GitHub App. Pick your frameworks. The engine runs on every PR — annotates the diff, composes auto-fix PRs for mechanical violations, and seals a content-addressed evidence pack in an immutable WORM audit chain. Auditors verify by URL. Regulators trace by hash.

By role

Closes the gap between CEOs, developers, CISOs, auditors and regulators — one artefact, five audiences.

Five roles. Five lenses. Today they chase five different artefacts. Code Constitution™ produces one cryptographic evidence pack per PR that all five consume in the shape their job demands. Pick a role to see what they see.

What they get today

A quarterly slide deck. You hope it's still true.

With Code Constitution™

A dashboard that's true right now, every PR.

They ask · “Are we compliant — and can we prove it?
  • 1Plain-English board view: green / yellow / red per framework
  • 2One link to send the auditor — no email chains, no scrambling
  • 3Drift alerts the hour something slips, not three months later
  • 4Pricing per repo, transparent — no enterprise sales process required
How it compares

CC vs adjacent categories — across four axes.

Compliance SaaS, code scanners, GRC platforms — each solves part of the problem. Here's where the lines actually run, by category not by vendor.

Compliance work that runs inline on every PR vs runs quarterly off the side of the codebase.

Inline on every PR (≤90s)
CC
Compliance SaaS
Scanner
GRC
On every push, not just PR
CC
Compliance SaaS
Scanner
GRC
Quarterly batch / scheduled
CC
Compliance SaaS
Scanner
GRC
Self-hostable / on-prem / BYOC
CC
Compliance SaaS
Scanner
GRC
Sector-shaped (banking / pharma / health)
CC
Compliance SaaS
Scanner
GRC
Verdict · Only Code Constitution™ runs INLINE on every PR AND with framework-grade compliance. Code scanners run inline but only check security CVEs — not compliance controls.
Only Code Constitution™

Seven things no code scanner, compliance SaaS, or GRC platform does:

  • Framework-grade compliance enforced inline on every PR (not quarterly)
  • Immutable WORM audit trail — auditor + regulator-ready out of the box
  • Cryptographic evidence packs the auditor pulls by URL (no email chain)
  • Banking-grade trust posture: BYOC vault — we never see your cloud tokens
  • Patent-safety + FTC §5 + USPTO trademark gates on every commit
  • EU AI Act / NIST AI RMF model-card evaluator on every HF README push
  • Bring-your-own constitution.yaml — customer rules layered on framework floor

Comparison is by category, not by named vendor. Each column is the archetypal capability set of that category.

Real numbers · sourced from the engine

What ships today

Frameworks shipped
0

EU AI Act, ISO 42001/27001/27701, GDPR, HIPAA, SOC 1/2, PCI DSS, NIST AI RMF/CSF, DORA, NIS2, CCPA + more

Check families
0

patent-safety · no-placeholder · trademark-consistency · HF model-card

Industry profiles
0

Banking, healthcare, manufacturing, SaaS, retail, public sector, energy, defence, more

Audit-trail retention floor
0 yrs

Enterprise tier with R2 Object Lock COMPLIANCE mode (Principle #45)

Governance

Governance for development teams, codebases and GitHub orgs — enforced in the diff.

Boards govern policies. CISOs govern systems. Auditors govern controls. Until now, code, teams and GitHub orgs sat outside that frame — reviewed quarterly, never enforced inline. Code Constitution™ makes the three a first-class governed surface: enforced, maintained, proven, on every commit.

Enforces
Code governance, by construction.

Compliance frameworks, internal policies, sector-specific rules — applied to every commit, every PR, every push. No carve-outs. No 'we'll fix it next sprint'.

  • Framework rule packs as code, version-controlled
  • Customer constitution layered on top
  • Hard guardrails: customer rules can ADD, not weaken
  • Cerbos-shaped exemption registry — auditable
Maintains
Posture stays current automatically.

Rule packs update on regulator amendments. The engine reruns on every PR. Drift surfaces the hour it happens — not at the next quarterly review.

  • Quarterly framework refresh (SOC 2, ISO, etc.)
  • Per-PR re-evaluation against full rule set
  • Inline drift detection on every push
  • Org-rollup posture cards refreshed live
Proves
Every decision has a receipt.

WORM audit chain + cryptographic evidence packs mean every state-changing decision can be replayed from any timestamp. Auditors verify hashes; regulators trace receipts.

  • WORM chain (sha256(prev_hash ‖ event))
  • Content-addressed evidence packs on R2
  • Replay engine reconstructs any prior state
  • Per-row tamper detection
Before / after — same PR

Drag the divider. See what shipped without CC vs with CC.

One real PR. Two outcomes. The compliance work either lands in the diff or lives in a 47-page audit response two months later. Pick.

PR #142 · check-run live

+ const banner = "..."

↳ patent-safety · FTC §5

+ phone: "+1-555-..."

↳ no-placeholder · fake number

+ // TODO: ...

↳ unscoped-marker · SOC 2 CC6.1

+ model_card: undefined

↳ EU AI Act Art. 13 · transparency

5 findings · evidence pack #abc123
Sealed in WORM chain. Auditor URL ready.
Compliance lag
0s
Audit prep
1 click
Drift undetected
0
PR #142 · merged

+ const banner = "We are SOC 2 certified."

+ phone: "+1-555-CALL-US"

+ // TODO: implement encryption

+ <button>Coming soon</button>

+ model_card: undefined

No verification
Compliance review happens quarterly.
Auditor finds these issues in Q3. Cycle repeats.
Compliance lag
90d
Audit prep
3 wk
Drift undetected
Status quo
With Code Constitution™

Drag the centre handle · or use ← → keys when focused

How it works for you

One engine. Four shapes.

Click your scope. Same checks. Same evidence. Different entry point, different rollup.

One repo. One install. Every PR verified.

Drop the Code Constitution™ app on any repo. The next PR opens a check-run with inline annotations. No infra, no config required.

  • 1Install: one click at github.com/apps/code-constitution
  • 2Check-run on every PR within ~10s of the diff opening
  • 3Up to 50 inline annotations per run, severity-coded
  • 4Cryptographic evidence pack on R2 — auditor pulls direct
From install to first verified PR: under 90 seconds.
feat: add Murabaha rail to engine+const contract = await createMurabaha(...)contract.status = "SOC 2 certified"patent-safetyFTC §5 — unverified attestation claim✓ 24 checks passed · 1 failure · 0 warn
By sector

One engine. Sector-shaped rule packs.

Pick your industry. Same CC engine, same evidence pack — different rule packs apply by sector. Built-in coverage for the regulators you actually face.

bnk

Cardholder data + PSD2 SCA + DORA — in the diff.

Every payment-touching commit checked against PCI DSS v4.0.1, PSD2 RTS-SCA, and DORA ICT-risk before merge. Quarterly QSA visit becomes a URL handover.

What CC checks for this sector
  • 1Cardholder-data path encryption checks
  • 2SCA-bypass exemption tracking
  • 3ICT-risk operational-resilience gates
  • 4Cryptographic evidence pack per PR
Production capabilities — today

Nine engines. One product. Zero roadmap.

Every check below ships today. Every check ties to a rule pack and a citation an auditor can reference. Grouped into Checks / Outputs / Trust so you can scan by domain.

What CC scans for on every PR — the deterministic gates that catch the violations before merge.

Patent-safety gate

Detects unsubstantiated 'SOC 2 / ISO 27001 / PCI DSS / GDPR-compliant' claims in marketing + docs + UI. FTC §5 superlative-watch. USPTO §15(1057) trademark-symbol enforcement on first mark occurrence.

FTC §5 · USPTO §15(1057)

No-placeholder gate

Blocks lorem-ipsum, fake phone numbers, unscoped TODOs in production code paths, and 'coming soon' shipping UI. Auditors can't sign off on placeholders.

SOC 2 CC8.1

Trademark consistency

First-occurrence mark detection across marketing, docs, and product copy. Catches USPTO §15(1057) / EUIPO Art. 9 hygiene drift before it weakens the mark.

USPTO · EUIPO Art. 9

Bring your own constitution

Your policies, your rules — enforced the same way.

Drop a YAML file in your repo. Every PR runs your internal policies inline, alongside the built-in framework rule packs. Same engine, same evidence pack, same WORM chain.

.codeconstitution/constitution.yamlcommitted to your repo
# Your internal compliance policy, version-controlled
version: 1
constitution:
  name: "Acme Internal Compliance Constitution"
  framework_refs: ["acme-internal-v3", "soc2-extension"]

rules:
  - id: "acme-payments-codeowner"
      severity: fail
      file_glob: "src/payments/**.ts"
      must_have_pattern: "@security-team"
      message: "Payments code requires @security-team review"
      citation: "Acme Internal Compliance Policy §3.2"

  - id: "acme-no-direct-db"
      severity: warn
      file_glob: "apps/**.tsx"
      must_not_match_regex: "import.*from.*['\\"]pg['\\"]"
      message: "Apps must not import pg directly — use @acme/db"

What you can do

  • Add team-specific rules (CODEOWNERS-style requirements)
  • Add internal-policy rules (architectural guardrails)
  • Add sector-specific rules CC doesn't ship by default
  • Reference your own framework names + clause citations
  • Set severity per rule (fail / warn / info)

Hard guardrails

  • Customer rules cannot REMOVE framework checks — they ADD to the floor
  • Rule eval is deterministic (regex / glob / literal only) — no LLM in production rule eval
  • Every rule emission is audit-emitted to the WORM chain with the constitution version stamped
  • Malformed regex / unknown fields surface as warnings, never silently match
Policy packs · constitution marketplace

Free floor. Paid depth. Marketplace breadth.

Start with the 11-framework free baseline. Layer paid sector packs co-developed with auditors when you need audit-ready depth. Tap the marketplace when you need a niche-domain publisher you trust. Mix any combination with your own internal constitution.

Free baseline

11 framework rule packs out of the box

SOC 2 · ISO 27001 · PCI DSS · GDPR · HIPAA · EU AI Act · NIST AI RMF · DORA · NIS2 · CCPA · ISO 42001. Open. Auditable.

  • Ship with every install — public + private repos
  • Apache-2.0 rule pack definitions (read them, fork them)
  • Pinned versions per framework — no breaking changes mid-cycle
  • Updated quarterly + on-publication of regulator amendments
Always free
Curated paid packs

Sector-specific bundles, audit-ready

Deeper-than-baseline packs co-developed with QSAs, GRC auditors and sector regulators. Audit-quality citations + jurisdiction-shaped.

  • PCI DSS v4.0.1 QSA-ready · 100+ extra rules + SAQ-shaped reports
  • HIPAA Privacy + Security Rule full-coverage + Tech-Safeguards
  • NIS2 (essential-entity) + Annex I sector-overlays
  • FedRAMP Moderate / High tailored — control-by-control coverage
  • 21 CFR Part 11 + EU Annex 11 (pharma e-records + e-sigs)
  • Solvency II ORSA + IFRS 17 (insurance carriers)
Pricing on request · contact sales
Marketplace

Third-party publishers, revenue-shared

Big-4 audit firms, sector consultancies and law firms publish their own packs. Customers buy directly. Publisher keeps the long tail.

  • Publishers: PR a pack manifest → CC review → live on marketplace
  • Publishers earn 70% revenue share (industry-standard split)
  • Customers: install with one click, attach to org or repos
  • Every marketplace pack is signed + versioned + audit-tracked
  • Hard guardrails — packs cannot weaken framework floor
  • Coming Q3 2026 — early-access for launch partners now
Apply as launch publisher

Stack them. Same engine evaluates all three layers.

Free baseline + paid sector packs + your own constitution + marketplace packs from publishers you trust. CC merges them deterministically and emits one evidence pack per check-run.

Free baseline+Paid pack+Marketplace+Your constitution
Your scenario · live

Audit-prep ROI calculator

Conservative 60% prep-time reduction (lower bound of published SOC 2 benchmarks). Adjust the inputs for your org. No data leaves the page.

Your inputs

Your scenario

Audit-prep hours today
1,600 hrs / yr
Audit-prep hours with Code Constitution
640 hrs / yr
Hours saved
960 hrs / yr
≈ work-days saved
120 days / yr
≈ FTE equivalent
0.48 FTE

Assumptions: conservative 60% prep-time reduction; uniform repo distribution; identical audit scope across audits. Your number will differ — talk to sales for a tailored estimate based on your audit history.

Talk to sales →
How it works

From install to first verified PR — under 90 seconds.

No infra to host. No new tool to learn. The compliance work happens where the code work already happens.

  1. 1
    Install the GitHub App

    One click. Repo or whole org. Read-only by default; write only when you opt into auto-fix PRs.

  2. 2
    Pick your frameworks

    Toggle the rule packs you need — 11 ship free, paid sector packs available, marketplace for niche domains.

  3. 3
    Engine runs on every PR

    Deterministic checks against your rule packs + your constitution.yaml. Inline annotations within ~90s.

  4. 4
    Evidence pack per run

    Cryptographically signed, WORM-sealed evidence pack on R2 — auditor URL-handover, no email chain.

  5. 5
    Auto-fix PRs (opt-in)

    Safe-fix whitelist composes fix PRs for mechanical violations. BYO LLM key for non-whitelisted fixes.

Pricing

Free where it should be. Paid where you need depth.

Open-source projects ship for free under Apache-2.0. Private teams pay per developer. Enterprises get BYOC + paid sector packs + a signed SLA.

Open source
Public repos · Apache-2.0
Free
  • 11 framework rule packs
  • Unlimited public repos
  • Inline annotations + check-runs
  • Community support
Install free
Most picked
Team
Private repos · per developer
Contact sales
  • Everything in Open source
  • Private repos, unlimited
  • Evidence packs on R2
  • Per-team CODEOWNERS routing
  • Email support
Start a trial
Enterprise
Org-wide, BYOC, SLA
Custom
  • Everything in Team
  • BYOC + air-gapped deployment
  • Paid sector packs (PCI QSA, HIPAA, NIS2…)
  • Marketplace access
  • SLA + indemnification per signed MSA
Contact sales