Install Code Constitution™ on your repo — under 90 seconds.
Free on public repos. BYOC for enterprise. Read-only by default; write access only when you opt into auto-fix PRs.
Five steps. No infra to host.
The compliance work happens where the code work already happens — on every PR, on every push.
- 1Install the GitHub App
One click. A single repo or your whole org. The App requests Contents (read) + Pull requests (write) + Checks (write). Nothing else.
Install on GitHub → - 2Open a PR — the check runs automatically
Every new PR triggers Code Constitution™. Findings appear as inline annotations on the affected lines plus a summary check-run grouped by engine (patent-safety / no-placeholder / trademark / HF model-card / …).
- 3Fix in the diff, before merge
Inline annotations carry the rule-pack citation, severity, and (for mechanical violations) a suggested replacement. Auto-fix PR composer handles the common cases.
- 4Drop your constitution.yaml
Bring your own rules. Customer-defined rules layer on top of the 11 free framework rule packs — same engine evaluates both.
- 5Hand the auditor a URL
Every check-run seals a cryptographic evidence pack on R2. The auditor pulls the URL list and verifies hashes against the WORM chain. No email chain. No screenshots.
Read-only by default. Nothing extra.
Code Constitution™ asks for the minimum scopes needed to verify your codebase + post the check-run. Cloud-provider tokens never leave your runner (vault pattern).
Answers in one sentence.
Do you store our code?
No. Code Constitution™ reads the diff via the GitHub App installation token (just-in-time, ≤50min cache). Evidence packs store findings + framework refs + file paths — not full file contents.
Do you see our cloud credentials?
No. The vault pattern is the design: the log-mirror workflow runs in YOUR runner with YOUR GitHub Secrets. HuggingFace, Cloudflare, AWS, GCP, Azure tokens never leave your runner.
What if a rule false-positives?
Drop a `.codeconstitution/exemptions.yaml` in your repo. Per (file, rule) exemptions downgrade the finding from blocking to advisory + record the justification in the evidence pack.
Can we host this ourselves?
Yes. Enterprise tier supports BYOC + air-gapped deployments. Same engine, same rule packs, runs in your CF account / your AWS region / your air-gapped network.
Which frameworks ship by default?
11 free baseline: SOC 2, ISO 27001, ISO 42001, PCI DSS v4.0.1, GDPR, HIPAA, EU AI Act, NIST AI RMF, NIST CSF 2.0, DORA, NIS2, plus CCPA / UK-GDPR / EU-CRA carve-outs.
What's the auto-fix scope?
Safe-fix whitelist composes fix PRs for mechanical violations (qualify SOC 2 claims, attribute PCI scope to provider, add ™ to first mark occurrence). BYO LLM key for non-whitelisted fixes; prompts never touch our infrastructure.
Ready when you are.
Install on a single repo to try it. Add the whole org when you're convinced. Public repos: free forever.