Merge-time control plane · GitHub-first

Enforce. Audit.
Trust AI code.

The merge-time enforcement layer and tamper-evident audit trail for AI-assisted software development. Govern every Copilot, Cursor, Claude Code, and Codex merge. Block what's risky, document what's approved, hand auditors a signed chain of custody.

Enforce
Block at merge time

A required GitHub Check that fails on policy violations. AI-authored changes to regulated paths cannot ship without explicit approval.

Audit
Mapped to your framework

Every decision logged and tagged to SOC 2, HIPAA, PCI-DSS, ISO 27001, and EU AI Act controls. Append-only.

Trust
Signed chain of custody

Tamper-evident evidence packs your auditor can verify. SHA-256 hash chain, signed with your org's key.

sentrai · ledger.publicexample
0PRs governed · 24h0blocks · 24h0orgs publishing
block
acme/payments-core
P-001 · Regulated repo, AI off · @dlin
warn
acme/api-gateway
P-004 · AI commit > 400 LOC, no review · @kpark
allow
acme/marketing-site
P-002 · Approved team · web-eng · @sara
block
acme/hipaa-records
P-001 · Regulated repo, AI off · @bot-cp
warn
acme/data-platform
P-005 · Unapproved assistant model · @mjones

Example rows — no organizations are publishing their ledger publicly yet.

// audit_entry · immutable · signed
{
  "id": "ae_01HZX...c4",
  "decision": "block",
  "policy": "P-001",
  "repo": "acme/payments-core",
  "actor": "dlin",
  "ai_source": "github_copilot",
  "evidence_hash": "sha256:9c2e…",
  "ts": "2026-06-04T14:22:08Z",
  "signed_by": "sentrai-prod-1"
}
SOC 2 evidenceHIPAA-scoped reposFedRAMP-readyGitHub EnterpriseCopilot auditSAML SSOImmutable trailsWebhook · SIEM exportSOC 2 evidenceHIPAA-scoped reposFedRAMP-readyGitHub EnterpriseCopilot auditSAML SSOImmutable trailsWebhook · SIEM export
01 · The wedge

AI is in your repos.
Your controls aren't.

Copilot ships code into your monorepo every minute. Security teams are asked to sign off — without policy, without scope, without evidence. Generic AppSec doesn't answer the question. Neither does a dashboard.

SentrAI is a thin, opinionated control plane: scope where AI is allowed, block what it shouldn't touch, and keep signed audit evidence your auditors will accept.

< 10 min
GitHub install to first decision
5 rules
Enterprise-ready policy set
100%
Decisions written to immutable log
02 · System

From GitHub event to audit evidence in one path.

01
Connect GitHub

Install the SentrAI GitHub App on your enterprise org. Read audit logs and Copilot-related events. No code access required.

02
Scope & target

Mark repos as regulated. Assign approved teams. Define which AI activity is allowed where.

03
Enforce policy

Each event is evaluated against a small, explainable rule set. Decisions: allow, warn, block — every time.

04
Prove control

Signed, immutable audit entries. Export to CSV/JSON or stream to your SIEM. Hand to your auditor.

03 · Policies

Five rules.
Not five hundred.

A small, explainable policy set your security team can defend in writing — not a YAML jungle that drifts within a quarter.

P-001
Block AI in regulated repos

No Copilot activity in repos tagged hipaa, pci, sox, or regulated. Hard block, logged with reason.

enforce · log
P-002
Restrict AI to approved teams

Only members of approved GitHub teams may push AI-assisted commits to scoped repos.

enforce · log
P-003
Require review on large AI diffs

AI-assisted PRs over a threshold require explicit human approval before merge.

enforce · log
P-004
Flag suspicious patterns

Detect commit cadence, unusual hours, or off-policy assistants. Warn and log.

enforce · log
P-005
Approve assistant sources

Allowlist Copilot Business / Enterprise. Flag unsupported AI sources at the org level.

enforce · log
04 · Evidence

Audit-grade.
Not dashboard-grade.

Every decision is hashed, signed, and append-only. Exportable as CSV or JSON, streamable to Splunk, Datadog, or any SIEM via webhook. The artifact your auditor actually opens.

  • Append-only, content-addressed audit log
  • SHA-256 evidence hashes per decision
  • CSV / JSON export with signed manifest
  • Webhook + SIEM stream out of the box
  • Per-tenant retention controls
export · 2026-Q2-evidence.csvverified ✓
tsrepopolicydecision
14:22:08payments-coreP-001block
14:21:55api-gatewayP-004warn
14:20:11marketing-siteP-002allow
14:19:42hipaa-recordsP-001block
14:18:30data-platformP-005warn
14:17:08billing-svcP-003warn
14:15:55infra-tfP-001block
05 · Verify

Don't trust us.
Verify us.

Every public event is Ed25519-signed against the org's own key and chained to its predecessor. Paste any SentrAI proof URL — you'll get an independent yes-or-no in one round trip. No account, no SDK, no dashboard.

Verify an event
curl -X POST https://sentr-ai.lovable.app/api/public/verify/event \
  -H 'content-type: application/json' \
  -d '{"public_slug":"<slug>","event_id":"<uuid>"}'
Fetch the org's public key
curl https://sentr-ai.lovable.app/.well-known/sentrai/<slug>/keys.json
Embed a verify badge
<img src="https://sentr-ai.lovable.app/proof/<slug>/<uuid>/badge.svg" alt="SentrAI verified" />
sentrai · verify.eventidle
// response
// paste a proof URL above, then press Verify.
05 · Trust

Built to pass enterprise security review.

SAML SSO ready

SCIM-friendly identity model, role-based access from day one.

Tenant isolation

Per-org data partitioning. No cross-tenant queries by construction.

Signed ingress

GitHub webhook signature verification on every event.

Encrypted at rest

AES-256 storage, KMS-managed keys, secrets never in code.

Immutable logs

Append-only audit store with hash-chained entries.

Retention controls

Per-tenant retention windows. Right-to-delete respected.

SentrAI logo

Ship AI safely.
Prove it on paper.

We're onboarding a small cohort of design partners. 30-minute pilot, GitHub-only, your security team in the room.

No demo theater. We respond within 24h.