What is Code Constitution™?

Code Constitution™ is a GitHub App that runs framework-grade compliance checks (SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act, NIST AI RMF, DORA, NIS2, CCPA, ISO 42001) inline on every pull request. It composes safe auto-fix PRs for mechanical violations and seals each run in a content-addressed cryptographic evidence pack on an immutable WORM audit chain.

How does it differ from a code scanner or compliance SaaS?

Code scanners (Snyk, Semgrep, etc.) look for security CVEs. Compliance SaaS (Vanta, Drata, etc.) catalogues controls and runs quarterly. GRC platforms (ServiceNow, OneTrust) track policy. Only Code Constitution™ enforces ALL OF: framework-grade compliance + code governance + AI Act conformity + patent-safety + trademark hygiene — inline on every PR, sealed in a cryptographic evidence trail an auditor can verify by URL.

Yes — free forever on public GitHub repositories with all 11 framework rule packs enabled. Private repos and enterprise BYOC are paid tiers; pricing is published at codeconstitution.com/pricing.

Does Code Constitution™ see my source code or my secrets?

It sees the diff during check execution (the standard GitHub App contract) and never persists file contents. It never sees your cloud-provider tokens — the BYOC vault pattern keeps customer cloud secrets in your runner. Every state-changing operation is recorded in the WORM audit trail and available on request.

What is an evidence pack?

A content-addressed bundle on Cloudflare R2 containing every finding, the rule-pack references, the diff fingerprint, and the signing key trail. Auditors verify the head-hash, pull the pack by URL, sample as deeply as their methodology requires — no email chain, no screenshot rounds.

Which frameworks ship in the free tier?

11 framework rule packs: SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act, NIST AI RMF, DORA, NIS2, CCPA, ISO/IEC 42001. Sector-specific packs (PCI QSA, HIPAA pharma, maritime, oil & gas, banking-grade) are available on the Enterprise tier.

Trust

Security posture for Code Constitution™. Every claim below ties to a checkable property of the system or a documented attestation state. No unsubstantiated certifications, no aspirational language.

Credentials handling

Vault pattern: customer cloud-provider tokens stay in the customer's GitHub Secrets — the reusable workflow runs in the customer's runner
We never see HuggingFace / Cloudflare / AWS / GCP / Azure tokens
GitHub App installation tokens are minted just-in-time per request; cached in memory ≤ 50 minutes

Service-to-service auth

OIDC-only between customer runner and our worker (no shared secrets)
Tokens verified against the public GitHub JWKS, cross-checked against the calling repo + workflow
Webhook signatures verified via Web Crypto HMAC-SHA256 with 5-minute skew window and constant-time compare

Audit chain

Every state-changing decision chain-hashed (this_hash = sha256(prev_hash || canonical_json(event)))
Append-only by construction; mutations are blocked at the storage layer (Cerbos audit_trail.yaml denies UPDATE/DELETE)
Replay engine reconstructs platform state at any prior timestamp from the chain

Determinism

Engines are pure functions over the file content + dictionary + rule pack — same input → same output
No LLM in the check-execution path; LLM-assist (fix-PR composer) is opt-in + BYO key

Attestation status

Qualified status only. We never claim a certification we don't hold; in-progress audits are flagged with the target window.

Framework	Status
SOC 2 Type II	Audit in progress (target Q4 2026)
ISO 27001:2022	Controls mapped; Stage 1 audit Q4 2026
ISO 42001:2023 (AIMS)	Internal AIMS in place; external audit Q1 2027
GDPR Art. 32	Implemented; DPO designated
EU AI Act	Self-classified non-high-risk; Art. 50 transparency obligations met

Sub-processors

The minimal list of vendors with access to operational data in service of Code Constitution™. Material changes are announced 30 days in advance via the trust-center change log.

Vendor	Purpose	Region
Cloudflare	Edge / Pages / Workers / R2 / D1 / Email Routing	Global edge + EU/US primaries
GitHub	Repository hosting + Actions + OIDC issuer + Check Runs API	Global

SLA →

Per-tier uptime + response targets.

Incidents →

Public incident timeline + post-mortems.

Status →

Live probe of every surface.