Recommendations for effectively integrating licit into your AI development workflow.
Initial setup
1. Initialize from the start
Run licit init at the beginning of the project, not after. The sooner you start tracking, the more complete the compliance evidence will be.
mkdir my-project && cd my-project
git init
# ... initial setup ...
licit init
git add .licit.yaml
git commit -m "feat: initialize licit compliance tracking"2. Commit .licit.yaml
The configuration file should be versioned. The entire team should use the same configuration.
git add .licit.yaml3. Configure .gitignore correctly
# Sensitive licit data
.licit/provenance.jsonl
.licit/fria-data.json
# Signing key
.licit/signing-key
# Generated reports (optional — can be included)
# .licit/reports/4. Select relevant frameworks
Don’t enable frameworks that don’t apply to your context:
# If your product doesn't operate in the EU:
frameworks:
eu_ai_act: false
owasp_agentic: true
# If you only need EU AI Act:
frameworks:
eu_ai_act: true
owasp_agentic: falseProvenance traceability
5. Run trace regularly
Run licit trace after each sprint or release to keep traceability up to date:
licit trace --since 2026-03-01 --stats --reportCombine git heuristics with session logs for greater accuracy:
provenance:
methods:
- git-infer
- session-log
session_dirs:
- ~/.claude/projects/6. Enable signing in regulated environments
If you need to demonstrate provenance chain integrity:
provenance:
sign: true
sign_key_path: ~/.licit/signing-keyGenerate a secure key:
python3.12 -c "import secrets; print(secrets.token_hex(32))" > ~/.licit/signing-key
chmod 600 ~/.licit/signing-key7. Adjust the confidence threshold
The default (0.6) is conservative. Adjust according to your context:
provenance:
# Stricter (fewer AI false positives)
confidence_threshold: 0.8
# More permissive (detects more AI code, more false positives)
confidence_threshold: 0.4AI agent configuration
8. Document your agents
Maintain explicit agent configuration files:
CLAUDE.md # Instructions for Claude Code
.cursorrules # Rules for Cursor
AGENTS.md # GitHub Agents configurationlicit monitors these files automatically and records changes.
9. Implement guardrails
In your architect or other agent configuration, define:
- Protected files: Files the agent should not modify.
- Blocked commands: Commands the agent should not execute.
- Code rules: Mandatory patterns or practices.
# .architect/config.yaml (example)
guardrails:
protected_files:
- .env
- secrets.yaml
- migrations/
blocked_commands:
- rm -rf
- DROP TABLE
code_rules:
- "no eval() or exec()"
- "all API endpoints require authentication"licit counts these guardrails as compliance evidence.
10. Require human review in CI/CD
Configure your pipeline to require human approval before deployment:
# .github/workflows/deploy.yml
jobs:
deploy:
environment: production # Requires approval in GitHub
steps:
- name: Compliance check
run: licit verify
- name: Deploy
run: ./deploy.shlicit detects the presence of environment: in GitHub Actions as evidence of a human review gate.
Continuous compliance
11. Integrate licit verify in CI/CD
Add a compliance check on every PR:
# .github/workflows/compliance.yml
name: Compliance
on: [pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install licit-ai-cli
- run: licit verify12. Generate agent config changelog
Run licit changelog regularly to document changes in your AI agent configuration. This is key evidence for compliance:
licit changelog # Markdown by default
licit changelog --format json # JSON for integration
licit changelog --since 2026-03-01 # From a specific dateThe changelog classifies each change as MAJOR (model/provider), MINOR (prompt/guardrails/tools) or PATCH (tweaks). MAJOR changes deserve special attention — they can affect agent behavior.
git add .licit/changelog.md
git commit -m "docs: update agent config changelog"13. Generate reports periodically
Don’t wait for the audit. Generate reports on each release:
# Before each release
licit trace --report
licit changelog
licit report --format markdown
git add .licit/reports/ .licit/changelog.md
git commit -m "docs: update compliance report for v1.2.0"14. Review gaps regularly
licit gapsPrioritize closing the highest-priority gaps first.
Connectors
15. Enable connectors when possible
If you use Architect or Vigil, enable them. They provide evidence that improves the evaluation:
licit connect architect
# → architect data found at: .architect/reports
# → Connector 'architect' enabled.
licit connect vigil
# → vigil data found
# → Connector 'vigil' enabled.Architect provides:
- Execution audit trail (JSON reports + JSONL audit)
- Guardrail configuration (protected files, blocked commands, code rules)
- Quality gates and budget limits
- Dry-run and rollback capabilities
Vigil provides:
- Security findings (SARIF 2.1.0) with severity (critical/high/medium/low)
- SBOM — Software Bill of Materials (CycloneDX)
Configure the audit log for maximum evidence:
connectors:
architect:
enabled: true
config_path: .architect/config.yaml
audit_log: .architect/audit.jsonl # ← This adds entries to the audit trail16. Integrate security tools
licit automatically detects these tools and uses their results as evidence:
| Tool | What it detects |
|---|---|
| Semgrep | Insecure code patterns |
| Snyk | Dependency vulnerabilities |
| CodeQL | Static security analysis |
| Trivy | Container vulnerabilities |
| ESLint Security | JavaScript security rules |
Team organization
17. Designate a compliance lead
Someone on the team should be responsible for:
- Reviewing licit reports periodically.
- Ensuring gaps are prioritized and closed.
- Keeping the FRIA up to date.
- Coordinating with legal/compliance if necessary.
18. Document decisions
When a requirement is marked as n/a (not applicable), document why. This is important for audits:
# In your FRIA or internal documentation:
Art. 10 (Data Governance): N/A — This system does not train models,
it only uses pre-trained models via API.19. Keep the configuration up to date
When you switch AI tools, update the configuration:
# After migrating from Cursor to Claude Code
licit init # Re-detects the project
licit status # Verify detectionAnti-patterns to avoid
| Anti-pattern | Why it’s problematic | What to do instead |
|---|---|---|
Ignoring licit verify warnings | Partials accumulate | Treat partials as technical debt |
Not versioning .licit.yaml | Each dev uses different config | Commit to repo |
Pushing provenance.jsonl to public repo | Exposes contributor info | Add to .gitignore |
| Generating reports only before audits | Incomplete evidence | Generate on each release |
| Disabling signing “because it’s slow” | Loss of verifiable integrity | Sign at least in CI |
| Not updating the FRIA | Outdated FRIA has no value | Update with each significant change |
Marking everything as n/a | Compliance evasion | Justify each n/a in writing |