<code/constitution>
<code/constitution>
Compliance-first GitHub AppEngineer-facingWORM audit

Every claim your code makes — verified.

The architectural compliance engine for GitHub. SOC 2, ISO 27001, PCI DSS, PSD2, GDPR, HIPAA, EU AI Act, NIST AI RMF, DORA, NIS2, CCPA — verified against your actual codebase, not your marketing deck.

Install on GitHubPricing

Powered by ReguNav — the compliance engine.

Real numbers · sourced from the engine

What ships today

Frameworks shipped
0

EU AI Act, ISO 42001/27001/27701, GDPR, HIPAA, SOC 1/2, PCI DSS, NIST AI RMF/CSF, DORA, NIS2, CCPA + more

Check families
0

patent-safety · no-placeholder · trademark-consistency · HF model-card

Industry profiles
0

Banking, healthcare, manufacturing, SaaS, retail, public sector, energy, defence, more

Audit-trail retention floor
0 yrs

Enterprise tier with R2 Object Lock COMPLIANCE mode (Principle #45)

What we replace

Compliance reviews shouldn't be quarterly slide decks.

Five concrete patterns we see at tier-1 banks and Series B+ fintechs. Each one rooted in a real engine check that ships in the platform today.

Problem
Compliance reviews are PDFs

Quarterly slide-deck reviews. Findings noted in spreadsheets that nobody updates. Audit-prep is 6 weeks of evidence-gathering.

Code Constitution
How we fix it

Every PR runs the same checks an auditor would run. The evidence pack is the audit deliverable — already cryptographically signed.

Problem
Marketing claims drift

Engineering ships 'SOC 2 certified' on a landing page before the audit closes. Legal finds out via a customer's vendor questionnaire.

Code Constitution
How we fix it

Patent-safety check fires on every PR. Unsubstantiated claims block the merge. Drift can't ship.

Problem
Model cards stay empty

HuggingFace / Kaggle artefacts ship without intended-use, eval results, or training-data lineage. EU AI Act Art. 13 / ISO 42001 8.1 silently fail.

Code Constitution
How we fix it

HF model-card evaluator runs on every README.md change. Missing fields are blocking on Article 13's mandatory disclosures.

Problem
Trust-page links go stale

DPA points to v2; sub-processor list shows last year's vendors; the SLA page references a metric the runbook deprecated.

Code Constitution
How we fix it

Trust artefacts are generated from the same data plane the engine reads. There is one source of truth, not five.

Problem
BYOC means 'we wrote a Terraform module once'

Vendor says BYOC. The Terraform module hasn't been touched in a year. Three providers depend on a private endpoint that's no longer documented.

Code Constitution
How we fix it

Code Constitution's customer-mirror workflow runs in YOUR runner with YOUR secrets. The vault pattern is the architecture, not a doc.

Live in your browser · no signup

Try the engine right here.

Paste a README, a marketing claim, an engineering note — anything. The same rule patterns ship in the production engine. Findings update on every keystroke.

Findings3 fail2 warn
  • failSOC_2 · CC1.2L3:8
    soc2-certified-unsubstantiated
    SOC 2 certified

    Unsubstantiated SOC 2 claim. Qualify with 'audit in progress (target QX 20YY)' or 'controls mapped'.

  • failISO_27001 · A.5.32L3:28
    iso27001-certified-unsubstantiated
    ISO 27001 certified

    Unsubstantiated ISO 27001 claim. Qualify or remove. Use 'controls mapped' if applicable.

  • warnFTC · §5L3:49
    worlds-first-superlative
    World's first

    Superlatives are FTC-actionable when unsubstantiated. Replace with a verifiable claim.

  • failInternal · L6:8
    fake-phone-xxx
    +966 11 XXX

    Placeholder phone number. Replace with real contact.

  • warnInternal · L6:16
    todo-marker
    XXX

    Unresolved marker. Move to issue tracker or scope before shipping.

These rules are a subset of what ships in@regunav/engines/code-verification— the real engine runs in your CI on every PR with the full rule set + custom exemptions.

Production capabilities · today

Nine engines, one product.

Every capability below is in the build. Nothing roadmap. Every check has a corresponding rule pack the auditor can reference.

Patent-safety check

SOC 2 / ISO 27001 / PCI DSS unsubstantiated-claim detection. FTC superlative-watch. USPTO trademark-symbol enforcement on first occurrence.

No-placeholder gate

Blocks lorem-ipsum, fake phone numbers, unscoped TODOs in production code paths, and ship-blocking 'coming soon' UI text.

Trademark consistency

First-occurrence mark detection across marketing, docs, and product copy. Catches USPTO §15(1057) / EUIPO Art. 9 hygiene drift.

HF model-card evaluator

EU AI Act Art. 10 / 13 / 15 + ISO 42001 8.1 + NIST AI RMF MAP-3.1 conformance against any HuggingFace model README.md with YAML frontmatter.

Inline PR annotations

Up to 50 annotations per check run, positioned at the exact line/column. Severity-coded. Auto-collapses to summary when count exceeds the GitHub cap.

Cryptographic evidence pack

Every run produces a content-addressed pack in R2: full violation list, framework refs, control refs, file paths, timestamps. The auditor pulls it directly.

WORM audit-trail

Every state-changing decision is chain-hashed (sha256(prev_hash || event)). The replay engine reconstructs any prior state. Tamper-detection per row.

Vault pattern

Customer secrets stay in the customer's GitHub Secrets. The mirror workflow runs in the customer's runner. We never see HF / CF / AWS / GCP / Azure tokens.

OIDC service auth

Zero long-lived shared secrets. Five-minute OIDC tokens minted by GitHub, verified against the public JWKS, cross-checked against the calling repo.

A category gap, not another scanner

Existing tools check what's in the code. Code Constitution checks whether your architecture delivers what your compliance framework requires.

Snyk
Vulnerabilities
SonarQube
Code quality
Dependabot
Dependency versions
CodeQL
Code security analysis
Sourcegraph
Code search + intelligence
Code Constitution
Compliance-to-architecture mapping

The full pipeline, end to end.

Every push runs the same six-stage flow. Mouse over to pause; click a stage to inspect.

Stage 1 · git push

A push or PR-open event on a repo where the Code Constitution™ GitHub App is installed.

What you get out

Benefits, quantified where we can.

Six benefit categories, three claims per side, traceable to public audit benchmarks. We don't publish customer metrics — your numbers will vary; the calculator below shows your scenario.

Audit-prep velocity
Evidence packs are the audit deliverable

Every PR produces a signed, content-addressed evidence pack persisted to R2. Auditors consume directly. Replaces the manual screenshot-folder workflow with a deterministic artefact whose lineage is replayable.

Risk surface
Zero unsubstantiated compliance claims in production

Patent-safety check fires on every PR that touches marketing copy, README, docs, or product strings. Unsubstantiated SOC 2 / ISO / PCI claims are blocking-severity by default. Configurable via .codeconstitution/exemptions.yaml.

Engineer experience
Compliance feedback at the PR, not at the deploy

Findings appear as inline annotations the engineer can ack or fix in the same pass. No 'compliance review meeting' three weeks later. Time-to-resolution drops because the context is still loaded.

Vendor review
Bank vendor questionnaires complete in hours, not weeks

Trust center auto-generates SIG, CAIQ, ISO 27001 SoA, NIST 800-171, CMMC L2, Cyber Essentials, ENISA pre-fills. Auditor portal gives external assessors a per-tenant read-only view + WORM-chained activity log.

Regulatory exposure
EU AI Act Art. 13 / GDPR Art. 30 / DORA Art. 28 covered by construction

Every AI system gets an obligation tracker keyed to the in-scope frameworks. Model-card evaluator enforces Art. 13 disclosure fields. Sub-processor + transfer disclosures auto-publish on the trust center.

Operational cost
Drift detection runs continuously, not quarterly

The self-audit engine evaluates every metric on every deploy and persists drift findings to the ack ledger. Compliance ops moves from periodic-review to event-driven; engineers receive notifications when a metric crosses its baseline, not three months later.

Ecosystem · hub architecture

One hub. Every registry, every cloud, every framework.

Code Constitution™ is the hub; spokes connect to the registries we evaluate, the clouds we mirror logs from, the frameworks we enforce, the billing rails we meter against, and the observability sinks customers fan to. Click any spoke to inspect.

hfkagglegithubmodelscfawsgcpazureeuaisoc2iso270iso420gdprnist-astripeaxiomgrafansentry<c/c>Code Constitution™
registrycloudframeworkbillingobservability
registry

HuggingFace

Model-card evaluation against EU AI Act Art. 10 / 13 / 15. Public API; no token required for read.

All spokes
Your scenario · live

Audit-prep ROI calculator

Conservative 60% prep-time reduction (lower bound of published SOC 2 benchmarks). Adjust the inputs for your org. No data leaves the page.

Your inputs

Your scenario

Audit-prep hours today
1,600 hrs / yr
Audit-prep hours with Code Constitution
640 hrs / yr
Hours saved
960 hrs / yr
≈ work-days saved
120 days / yr
≈ FTE equivalent
0.48 FTE

Assumptions: conservative 60% prep-time reduction; uniform repo distribution; identical audit scope across audits. Your number will differ — talk to sales for a tailored estimate based on your audit history.

Talk to sales →
Use cases by role

Built for the people who own the outcome.

Six roles. Click any one to see the platform capabilities it touches. Qualitative outcomes only — we don't quote customer metrics we cannot publicly cite.

Tier-1 bank CISO

Continuous evidence instead of quarterly audits.

Auditors arrive expecting weeks of evidence-gathering. Code Constitution makes the evidence pack the audit deliverable — signed, content-addressed, and produced on every PR.

Platform capabilities engaged
  • Signed evidence pack per check run (R2-persisted)
  • WORM audit chain — replayable to any prior timestamp
  • Inline PR annotations keyed to SOC 2 CC1.2 / ISO 27001 A.5.32 / PCI DSS controls
  • Auditor portal: per-tenant read-only browse of the artefact trail
Sector coverage

Twelve sectors, one engine.

Each sector inherits a different framework matrix. The engine ships rule packs for every framework below; installing a sector pack turns on the matrix in one click.

Banking & Financial Services

SOC_2ISO_27001PCI_DSSDORAEU_AI_ACTGDPR

Loan underwriting AI · KYC/AML model cards · transaction-monitoring drift

Healthcare

HIPAAISO_27001ISO_42001EU_AI_ACTGDPR

PHI de-identification · EU AI Act Annex III §5(d) medical-device AI

Insurance

SOC_2ISO_27001EU_AI_ACTGDPRDORA

Claims-decisioning AI · pricing-model fairness · sub-processor disclosure

Government & Public Sector

FedRAMPNIST_AI_RMFISO_27001EU_AI_ACTNIS2

Annex III §2 critical infrastructure · NIS2 essential-entity reporting

SaaS / B2B Software

SOC_2ISO_27001ISO_27701GDPRCCPA

Sub-processor list · DPA addendum cycles · vendor questionnaires

AI Providers / Model Hosts

EU_AI_ACTISO_42001NIST_AI_RMFISO_27001GDPR

Model-card disclosure · GPAI Art. 53 + 55 obligations · Annex III gating

Manufacturing & Automotive

ISO_27001ISO_42001NIS2EU_AI_ACTEU_CRA

Industrial AI · safety-component AI · supply-chain attestation

Energy & Utilities

NIS2ISO_27001NIST_CSFEU_AI_ACTDORA

Critical infrastructure · NIS2 essential-entity · ICS / OT AI

Pharma

ISO_27001ISO_42001GDPRHIPAAEU_AI_ACT

GxP-adjacent AI · clinical-trial AI · pharmacovigilance models

Defence & Aerospace

CMMCNIST_CSFISO_27001EU_AI_ACTNIST_AI_RMF

Annex III §3 critical defence systems · CMMC L2/L3 evidence

Telecom

NIS2ISO_27001DORAEU_AI_ACTGDPR

Network security · roaming-fraud AI · subscriber-data handling

Retail & E-commerce

PCI_DSSGDPRCCPASOC_2EU_AI_ACT

Recommendation systems · price-discrimination prohibition · payment card scope

Framework coverage

Each framework is shipped as a Rule Pack + Dictionary + Manifest by the ReguNav engine, evaluated against your codebase deterministically.

SOC 2 Type II
64 Common Criteria + architectural checks
CC6.1: every data-mutation endpoint has auth middleware
ISO/IEC 27001:2022
Annex A.5 – A.18 (93 controls)
A.9.4.2: admin routes carry MFA middleware
ISO/IEC 42001:2023
AI management system controls
AI systems registered with risk classification
PCI DSS v4.0.1
12 requirements + sub-controls
Req 4: payment endpoints enforce TLS 1.2+
GDPR (EU 2016/679)
Arts. 5, 6, 9, 17, 25, 32, 35
Art. 5(1)(f): PII columns encrypted at rest
UK GDPR + DPA 2018
UK-specific carve-outs
ICO-aligned data-subject rights endpoint
HIPAA
§§164.308 / 312 / 314
§164.312(a)(1): user model has unique-ID constraint
EU AI Act (Reg. 2024/1689)
Arts. 9 – 15 (high-risk systems)
Art. 14: high-risk decisions have human-oversight gate
NIST AI RMF
4 functions, 19 categories, 72 subcategories
MAP-3.1: AI system context documented
NIST CSF 2.0
6 functions, 23 categories, 108 subcategories
PR.AC-1: identities & credentials managed
DORA (Reg. 2022/2554)
Arts. 8 – 30
Art. 9: dependency map present and consistent
NIS2 Directive
21 articles, sectoral annexes
Art. 21: incident-notification chain documented
EU Cyber Resilience Act
Annex I essential reqs
Vulnerability disclosure policy present
CCPA / CPRA
13 controls + 13 questions
Data-subject rights endpoint exists

How it works

1
Install the GitHub App
Grant read access to the repos you want covered. No write access required by default. Hosted at codeconstitution.com, powered by ReguNav's engine.
2
Pick your frameworks
Enable manifests for the compliance frameworks in your audit scope. 21 frameworks shipped (EU AI Act, ISO 42001/27001/27701, GDPR, HIPAA, SOC 1/2, PCI DSS, NIST AI RMF, NIST CSF, DORA, NIS2, EU CRA, CCPA, plus regional privacy laws).
3
Engine runs on every PR
Deterministic evaluation against your rule packs. Findings surface as PR check-runs and inline annotations. No LLM required.
4
Evidence Pack per run
Cryptographically signed, WORM-stored Evidence Pack — auditors consume directly. Replaces manual evidence-gathering in SOC 2 / ISO 27001 / PCI DSS audit cycles.
5
Auto-fix PRs (opt-in)
Safe-fix whitelist auto-PRs trivial violations (qualify SOC 2 claims, attribute PCI scope to provider). BYO LLM key for non-whitelisted fixes — prompts never touch our infrastructure.

Bring your own LLM key

The engine is deterministic — no LLM required for any check. LLM is only used (optionally) for drafting fix PRs on non-whitelisted violations. Customers bring their own key (Anthropic, OpenAI, Gemini, Llama, or self-hosted). Prompts and completions never touch our infrastructure.

engine.deterministic = true
llm.byo_key = true
prompts.stored_by_us = false

Value pricing

Priced against the audit-cycle cost you avoid — typically $150k–$2M per company per year in consulting + delay.

Free
$0
public repos only
Get started
Team
$25
per dev / month
Install
Growth
$50
per dev / month · SSO · custom rule packs
Install
Enterprise
$100
per dev / month + $50k platform · 99.9% SLA
Contact sales
Bank / Regulated
Custom
BYOC self-hosted · air-gapped · indemnification
Contact sales