Make every agent change prove it belongs.
local by default — explicit sync only
CodeTruss is the proof layer for AI-written code. Put a local boundary around each agent change, share only the receipts you explicitly sync, and use hosted audits to understand the health of the whole codebase.
- Boundary
- Agent-time proof
- History
- Explicit receipt sync
- Health
- Full-codebase audit
Boundary · History · Health
One proof system, from prompt to codebase.
- BoundaryLocal · before the PR
- Record the task and starting Git state, enforce scope, flag sensitive surfaces, run 13 registry analyzers plus your verification commands, and write an integrity-signed receipt.
- HistoryExplicit sync · organization scoped
- Receipts stay local until you choose one to sync. Sync sends a privacy-minimized copy for organization history and shared review; it never uploads the patch or verification output.
- HealthHosted · whole codebase
- Run a read-only repository audit with the registry suite plus graph and SAST passes, health scores, architecture maps, findings, and an issue roadmap.
Install + activate · macOS + Linux
curl -fsSL https://codetruss.com/install.sh | sh
codetruss setup- 13 registry analyzers stay local
- One guided setup, then automatic checks
- Integrity-signed Markdown + JSON
§ 01 — What you receive
One codebase audit produces four exhibits. Deliverables — not a lecture.
Exhibit A
Architecture map
Every module, edge, and cycle — drawn from the real symbol graph, not a stale wiki page.
Example architecture map: modules app, lib, api and prisma with import edges, and a three-file import cycle flagged in red.
Exhibit B
Health certificate
Five scores that tell you where the risk actually lives, weakest marked in red.
Certificate of Health
Snapshot a1b2c3 · Read-only
Example health certificate with scores: structure 87, health 74, tests 71, security 64 (weakest, marked in red), docs 93.
Exhibit C
Issue roadmap
A punch list of findings, ranked and filed as labeled GitHub issues under a milestone.
- ☐ Vendored dir committed: .agent/ (1,862 files)■ HIGHM
- ☐ No CI pipeline detected■ HIGHS
- ☐ Deep nesting in geminiService.ts□ MEDS
Ranked by severity × effort · filed as GitHub issues
Exhibit D
Fix PRs
Approve a finding and CodeTruss opens the branch and the pull request. Nothing ships without you.
- const apiKey = 'sk-live-9f3…'- writeFileSync(out, data)+ const apiKey = process.env.API_KEY+ if (!apiKey) throw new Error('API_KEY missing')+ await writeFile(out, data)
§ 02 — Method
Connect
Install the GitHub App on the repositories you choose — and nothing else.
LEAST-PRIVILEGE GITHUB APP · REVOCABLE
Snapshot
CodeTruss takes a read-only tarball of your default branch. Your code is never executed.
READ-ONLY TARBALL · NEVER EXECUTED†
Analyze
A policy-selected analyzer suite walks the symbol graph and source: structure, import cycles, tests, secrets, SAST, and known vulnerabilities.
STATIC ANALYSIS · SAST · SYMBOL GRAPH · OSV
Roadmap
Findings become labeled GitHub issues under a milestone, with a tracking issue on top.
LABELED ISSUES · MILESTONE · TRACKING ISSUE
§ 03 — The deliverable
The audit ends as a typeset report you can hand to a client, a CTO, or your future self: scores, architecture, findings, and a prioritized plan, enriched with AI review and shared as a read-only link. Freelancers and agencies deliver it as the codebase audit their engagement is billed on. Don’t take our word for it: the specimen shown here is a real audit of a repository you already trust.
send it to the client as-is — or white-label it
Specimen · Engineering audit
expressjs/cors
Shared read-only
§ 04 — Fee schedule
Free
Try CodeTruss on a single repository.
1 repository · 5 scans a month · health scores & basic reports
$0
Pro
For solo developers and freelancers.
10 repositories · 50 scans · full reports, exports, fix PRs, your own AI keys
$29 / mo
☛ recommended
Agency
For agencies delivering audits to clients.
Client workspaces · white-label reports · 200 repositories · 25 seats
$249 / mo
Full fee schedule
Prepared by CodeTruss — the proof layer for AI-written code.
Signed · 2026-07-15
Footnotes
† Read-only tarball snapshot. Your code is never executed. GitHub App access is least-privilege and revocable.