<code/constitution>
Engineer-facing GitHub App

Install Code Constitution

Compliance checks on every PR. Patent-safety, model-card verification, trademark consistency, no-placeholder gates — ship the same engines tier-1 banks evaluate, in your repo.

Install on GitHub

Four steps.

  1. 1

    Install the GitHub App

    Click below to authorize Code Constitution on a single repo or your whole organisation. The App requests Contents (read) + Pull requests (write to post checks) + Checks (write). Nothing else.

    Install on GitHub
  2. 2

    Open a PR — the check runs automatically

    Once installed, every new PR triggers the Code Constitution check. Findings appear as inline annotations on the affected lines plus a summary check-run with patent-safety, no-placeholder, trademark-consistency, and HF-model-card families.

  3. 3

    (Optional) Add the log-mirror reusable workflow

    Reference the Code-Constitution/actions/log-mirror reusable from your repo's workflows directory. Cloud + CI logs mirror to your own `logs` branch — your secrets stay in your GitHub Secrets, never on our side.

  4. 4

    Open your dashboard

    Visit codeconstitution.com/dashboard/<org>/<repo> any time. The dashboard reads your logs branch read-only via the App's installation token (auto-rotated every hour). We never persist your tokens.

Banking-tier guarantees, by default.

The same security model tier-1 banks expect from Snyk / Drata / Vanta — codified into the install flow.

Zero credential storage

Your HuggingFace / Cloudflare / AWS / GCP / Azure tokens stay in YOUR GitHub Secrets. The reusable workflow runs in YOUR runner. We never see them.

OIDC-only service auth

No long-lived shared secrets between your CI and our app. Short-lived (5-min) OIDC tokens minted by GitHub, verified against GitHub JWKS.

Deterministic by construction

Every check is a pure function over the file content. No LLM in the check-execution path. Zero non-deterministic outcomes.

WORM audit-trail

Every state-changing decision is chain-hashed (sha256(prev_hash || event)). The replay engine reconstructs any audited state from the chain at any timestamp.

Common questions

What does the check actually evaluate?
Three families today: patent-safety (catches unsubstantiated SOC 2 / ISO 27001 / PCI DSS claims), no-placeholder (catches shipped 'coming soon' UI), trademark-consistency (catches missing trademark symbols on first occurrence). Plus HuggingFace model-card evaluation against EU AI Act Art. 10/13/15, ISO 42001, and NIST AI RMF.
Can I exempt a specific file or rule?
Yes — commit `.codeconstitution/exemptions.yaml` to your repo with the file glob + rule + justification. Exemptions are persisted in our database and signed in the audit trail.
What if the check is wrong?
Open an issue. Every check is open source (Apache 2.0) — see github.com/Code-Constitution.
How much does it cost?
Free for individuals and public repos. Team and Enterprise tiers are quoted by scope and volume — see the pricing page.