Install

Install Code Constitution™ on your repo — under 90 seconds.

Free on public repos. BYOC for enterprise. Read-only by default; write access only when you opt into auto-fix PRs.

How it works

Five steps. No infra to host.

The compliance work happens where the code work already happens — on every PR, on every push.

  1. 1
    Install the GitHub App

    One click. A single repo or your whole org. The App requests Contents (read) + Pull requests (write) + Checks (write). Nothing else.

    Install on GitHub →
  2. 2
    Open a PR — the check runs automatically

    Every new PR triggers Code Constitution™. Findings appear as inline annotations on the affected lines plus a summary check-run grouped by engine (patent-safety / no-placeholder / trademark / HF model-card / …).

  3. 3
    Fix in the diff, before merge

    Inline annotations carry the rule-pack citation, severity, and (for mechanical violations) a suggested replacement. Auto-fix PR composer handles the common cases.

  4. 4
    Drop your constitution.yaml

    Bring your own rules. Customer-defined rules layer on top of the 11 free framework rule packs — same engine evaluates both.

  5. 5
    Hand the auditor a URL

    Every check-run seals a cryptographic evidence pack on R2. The auditor pulls the URL list and verifies hashes against the WORM chain. No email chain. No screenshots.

Permissions requested

Read-only by default. Nothing extra.

Code Constitution™ asks for the minimum scopes needed to verify your codebase + post the check-run. Cloud-provider tokens never leave your runner (vault pattern).

Repository contents
Read
Read the diff + repo files needed to evaluate the rule packs
Pull requests
Read & write
Post check-runs + inline annotations on PRs
Checks
Read & write
Create + update the Code Constitution™ check-run
Issues
Read & write
Open compliance issues (only when configured)
Workflows
Read & write
Manage the log-mirror reusable workflow opt-in
Frequently asked

Answers in one sentence.

Do you store our code?

No. Code Constitution™ reads the diff via the GitHub App installation token (just-in-time, ≤50min cache). Evidence packs store findings + framework refs + file paths — not full file contents.

Do you see our cloud credentials?

No. The vault pattern is the design: the log-mirror workflow runs in YOUR runner with YOUR GitHub Secrets. HuggingFace, Cloudflare, AWS, GCP, Azure tokens never leave your runner.

What if a rule false-positives?

Drop a `.codeconstitution/exemptions.yaml` in your repo. Per (file, rule) exemptions downgrade the finding from blocking to advisory + record the justification in the evidence pack.

Can we host this ourselves?

Yes. Enterprise tier supports BYOC + air-gapped deployments. Same engine, same rule packs, runs in your CF account / your AWS region / your air-gapped network.

Which frameworks ship by default?

11 free baseline: SOC 2, ISO 27001, ISO 42001, PCI DSS v4.0.1, GDPR, HIPAA, EU AI Act, NIST AI RMF, NIST CSF 2.0, DORA, NIS2, plus CCPA / UK-GDPR / EU-CRA carve-outs.

What's the auto-fix scope?

Safe-fix whitelist composes fix PRs for mechanical violations (qualify SOC 2 claims, attribute PCI scope to provider, add ™ to first mark occurrence). BYO LLM key for non-whitelisted fixes; prompts never touch our infrastructure.

Ready when you are.

Install on a single repo to try it. Add the whole org when you're convinced. Public repos: free forever.