Recommendations for effectively integrating licit into your AI-assisted development workflow.
Initial Configuration
1. Initialize from the Start
Run licit init at the beginning of the project, not after. The sooner you start tracking, the more complete your compliance evidence will be.
mkdir my-project && cd my-project
git init
# ... initial setup ...
licit init
git add .licit.yaml
git commit -m "feat: initialize licit compliance tracking"2. Commit .licit.yaml
The configuration file must be versioned. The entire team should use the same configuration.
git add .licit.yaml3. Configure .gitignore Correctly
# Sensitive licit data
.licit/provenance.jsonl
.licit/fria-data.json
# Signing key
.licit/signing-key
# Generated reports (optional — can be included)
# .licit/reports/4. Select Relevant Frameworks
Do not enable frameworks that do not apply to your context:
# If your product does not operate in the EU:
frameworks:
eu_ai_act: false
owasp_agentic: true
# If you only need EU AI Act:
frameworks:
eu_ai_act: true
owasp_agentic: falseProvenance Traceability
5. Use Multiple Detection Methods
Combine git heuristics with session logs for greater accuracy:
provenance:
methods:
- git-infer
- session-log
session_dirs:
- ~/.claude/projects/6. Enable Signing in Regulated Environments
If you need to demonstrate provenance chain integrity:
provenance:
sign: true
sign_key_path: ~/.licit/signing-keyGenerate a secure key:
python3.12 -c "import secrets; print(secrets.token_hex(32))" > ~/.licit/signing-key
chmod 600 ~/.licit/signing-key7. Adjust the Confidence Threshold
The default (0.6) is conservative. Adjust according to your context:
provenance:
# Stricter (fewer AI false positives)
confidence_threshold: 0.8
# More permissive (detects more AI code, more false positives)
confidence_threshold: 0.4AI Agent Configuration
8. Document Your Agents
Maintain explicit agent configuration files:
CLAUDE.md # Instructions for Claude Code
.cursorrules # Rules for Cursor
AGENTS.md # GitHub Agents configurationlicit automatically monitors these files and records changes.
9. Implement Guardrails
In your architect or other agent configuration, define:
- Protected files: Files the agent must not modify.
- Blocked commands: Commands the agent must not execute.
- Code rules: Mandatory patterns or practices.
# .architect/config.yaml (example)
guardrails:
protected_files:
- .env
- secrets.yaml
- migrations/
blocked_commands:
- rm -rf
- DROP TABLE
code_rules:
- "no eval() or exec()"
- "all API endpoints require authentication"licit counts these guardrails as compliance evidence.
10. Require Human Review in CI/CD
Configure your pipeline to require human approval before deployment:
# .github/workflows/deploy.yml
jobs:
deploy:
environment: production # Requires approval in GitHub
steps:
- name: Compliance check
run: licit verify
- name: Deploy
run: ./deploy.shlicit detects the presence of environment: in GitHub Actions as evidence of a human review gate.
Continuous Compliance
11. Integrate licit verify in CI/CD
Add a compliance check on every PR:
# .github/workflows/compliance.yml
name: Compliance
on: [pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install licit-ai-cli
- run: licit verify12. Generate Reports Periodically
Do not wait for the audit. Generate reports on each release:
# Before each release
licit trace --report
licit changelog
licit report --format markdown
git add .licit/reports/ .licit/changelog.md
git commit -m "docs: update compliance report for v1.2.0"13. Review Gaps Regularly
licit gapsPrioritize closing the highest-priority gaps first.
Connectors
14. Enable Connectors When Possible
If you use Architect or Vigil, enable them. They provide additional evidence:
licit connect architect
licit connect vigilArchitect provides:
- Execution audit trail
- Guardrail configuration
- Quality gates
Vigil provides:
- Security findings (SARIF)
- SBOM (Software Bill of Materials)
15. Integrate Security Tools
licit automatically detects these tools and uses their results as evidence:
| Tool | What it detects |
|---|---|
| Semgrep | Insecure code patterns |
| Snyk | Dependency vulnerabilities |
| CodeQL | Static security analysis |
| Trivy | Container vulnerabilities |
| ESLint Security | JavaScript security rules |
Team Organization
16. Designate a Compliance Lead
Someone on the team should be responsible for:
- Reviewing licit reports periodically.
- Ensuring gaps are prioritized and closed.
- Keeping the FRIA up to date.
- Coordinating with legal/compliance if necessary.
17. Document Decisions
When a requirement is marked as n/a (not applicable), document why. This is important for audits:
# In your FRIA or internal documentation:
Art. 10 (Data Governance): N/A — This system does not train models,
it only uses pre-trained models via API.18. Keep the Configuration Up to Date
When you change AI tools, update the configuration:
# After migrating from Cursor to Claude Code
licit init # Re-detects the project
licit status # Verify the detectionAnti-patterns to Avoid
| Anti-pattern | Why it is problematic | What to do instead |
|---|---|---|
Ignoring licit verify warnings | Partials accumulate | Treat partials as technical debt |
Not versioning .licit.yaml | Each dev uses different config | Commit to repo |
Pushing provenance.jsonl to public repo | Exposes contributor info | Add to .gitignore |
| Generating reports only before audits | Incomplete evidence | Generate on each release |
| Disabling signing “because it’s slow” | Loss of verifiable integrity | Sign at least in CI |
| Not updating the FRIA | Outdated FRIA has no value | Update with each significant change |
Marking everything as n/a | Compliance evasion | Justify each n/a in writing |