Open Source · CLI-First · Backend-Agnostic

From chaotic requirements to verified code

Four CLI tools. One pipeline covering the entire chain — from idea to secure, verified, and regulatorily compliant code.

Explore tools
Compliance & Provenance Layer
Cross-cutting layer
licit
AI Compliance

Provenance, EU AI Act, OWASP. Evaluates the entire pipeline.

Phase 01
intake
Capture and normalize

From Jira, PDFs, Slack or a sentence — to an executable YAML spec for any agent.

Phase 02
architect
Implement with control

AI agents with deterministic guardrails, budget limits, and audit trail. Backend-agnostic.

Phase 03
vigil
Verify and protect

Detects AI-code vulnerabilities: hallucinations, slopsquatting, over-permissions.

◻ Phase 01 — Preparation

intake

From chaotic requirements to executable spec

Capture from Jira, PDFs, Confluence, Slack, or natural language. Normalize, deduplicate, detect conflicts, generate YAML spec.

Does not generate code. It is preparation infrastructure.

  • Multi-source: Jira, PDFs, Slack, images
  • Deduplication and conflict detection
  • Universal YAML output
  • Full traceability
Go to documentation
Terminal — intake collect
# Capture from multiple sources $ intake collect --from jira:PROJ-123 --from pdf:specs/req.pdf --from slack:#dev ◻ 14 requirements · 2 conflicts ◻ Spec → .intake/spec.yaml
△ Phase 02 — Implementation

architect

Deterministic control for code agents

Guardrails the LLM cannot bypass. Backend-agnostic. Switch models without changing your pipelines.

  • Ralph Loop: iteration with verification
  • Protected files, budget limits
  • 100+ providers, zero lock-in
  • Native OWASP, OpenTelemetry
Go to documentation
Figure 03 — architect loop
$ architect loop "Payments module" --check "pytest tests/ -q" --check "vigil scan src/" --budget $2.00 △ Loop 3/10 ✓ 18/18 passed · $0.089
◇ Phase 03 — Verification

vigil

Security scanner for AI code

Detects hallucinated dependencies, slopsquatting, over-permissions, empty tests. Deterministic, no LLMs.

  • Ghost dependencies in registries
  • Typosquatting and slopsquatting
  • Tests: empty asserts, fake coverage
  • Quality gate for CI/CD
Go to documentation
Terminal — vigil scan
$ vigil scan src/ ◇ 47 files... ✗ DEP-001 flask-helper (hallucinated) ✗ SEC-003 CORS disabled ✓ 45/47 clean
⬡ Cross-cutting layer — Compliance

licit

AI Compliance & Provenance Toolkit

Tracks code origin (human vs. AI), evaluates compliance against the EU AI Act and OWASP Agentic Top 10, and automatically generates required regulatory documentation.

Works as a CI/CD gate. Standalone — connectors to architect and vigil are optional.

  • Provenance tracking: human vs. AI origin per commit
  • EU AI Act: FRIA, Annex IV, article-by-article evaluation
  • OWASP Agentic Top 10: agentic security evaluation
  • Gap analysis with actionable recommendations
  • CI/CD gate: exit code 0 (compliant) or 1 (non-compliant)
Go to documentation
Terminal — licit
# Initialize and analyze compliance $ licit init ⬡ Detected: Python/FastAPI · Git: 847 commits ⬡ Agent configs: CLAUDE.md, .cursorrules $ licit trace ⬡ Provenance: 62% human · 38% AI-assisted $ licit verify ⬡ EU AI Act: 8/12 requirements met ⬡ OWASP Agentic: 7/10 controls passed ⬡ Status: NON-COMPLIANT · 4 gaps found
// Full Pipeline

Four commands. Zero supervision.

From ticket to verified and regulatorily compliant PR.

pipeline.sh
#!/bin/bash intake collect --from jira:SPRINT-42 --out spec.yaml architect loop "Implement spec.yaml" \ --check "pytest && vigil scan src/" vigil scan src/ --format junit licit verify --fail-on high
// Principles

Built on convictions

01

CLI-first

If it doesn't fit in a script, it doesn't work for CI/CD.

02

Determinism

The LLM cannot skip tests or quality gates.

03

Zero lock-in

Switch models without touching your pipeline.

04

Open source

Auditable code that governs your code.

05

Headless-first

Works at 3am without supervision.

06

Compliance-native

Regulation isn't an afterthought. It's part of the pipeline.

Your AI pipeline, under control

Install and run your first pipeline with technical and regulatory guarantees.

Documentation Use Cases