Enforce. Audit.
Trust AI code.
The merge-time enforcement layer and tamper-evident audit trail for AI-assisted software development. Govern every Copilot, Cursor, Claude Code, and Codex merge. Block what's risky, document what's approved, hand auditors a signed chain of custody.
A required GitHub Check that fails on policy violations. AI-authored changes to regulated paths cannot ship without explicit approval.
Every decision logged and tagged to SOC 2, HIPAA, PCI-DSS, ISO 27001, and EU AI Act controls. Append-only.
Tamper-evident evidence packs your auditor can verify. SHA-256 hash chain, signed with your org's key.
Example rows — no organizations are publishing their ledger publicly yet.
{
"id": "ae_01HZX...c4",
"decision": "block",
"policy": "P-001",
"repo": "acme/payments-core",
"actor": "dlin",
"ai_source": "github_copilot",
"evidence_hash": "sha256:9c2e…",
"ts": "2026-06-04T14:22:08Z",
"signed_by": "sentrai-prod-1"
}AI is in your repos.
Your controls aren't.
Copilot ships code into your monorepo every minute. Security teams are asked to sign off — without policy, without scope, without evidence. Generic AppSec doesn't answer the question. Neither does a dashboard.
SentrAI is a thin, opinionated control plane: scope where AI is allowed, block what it shouldn't touch, and keep signed audit evidence your auditors will accept.
From GitHub event to audit evidence in one path.
Install the SentrAI GitHub App on your enterprise org. Read audit logs and Copilot-related events. No code access required.
Mark repos as regulated. Assign approved teams. Define which AI activity is allowed where.
Each event is evaluated against a small, explainable rule set. Decisions: allow, warn, block — every time.
Signed, immutable audit entries. Export to CSV/JSON or stream to your SIEM. Hand to your auditor.
Five rules.
Not five hundred.
A small, explainable policy set your security team can defend in writing — not a YAML jungle that drifts within a quarter.
No Copilot activity in repos tagged hipaa, pci, sox, or regulated. Hard block, logged with reason.
Only members of approved GitHub teams may push AI-assisted commits to scoped repos.
AI-assisted PRs over a threshold require explicit human approval before merge.
Detect commit cadence, unusual hours, or off-policy assistants. Warn and log.
Allowlist Copilot Business / Enterprise. Flag unsupported AI sources at the org level.
Audit-grade.
Not dashboard-grade.
Every decision is hashed, signed, and append-only. Exportable as CSV or JSON, streamable to Splunk, Datadog, or any SIEM via webhook. The artifact your auditor actually opens.
- Append-only, content-addressed audit log
- SHA-256 evidence hashes per decision
- CSV / JSON export with signed manifest
- Webhook + SIEM stream out of the box
- Per-tenant retention controls
| ts | repo | policy | decision |
|---|---|---|---|
| 14:22:08 | payments-core | P-001 | block |
| 14:21:55 | api-gateway | P-004 | warn |
| 14:20:11 | marketing-site | P-002 | allow |
| 14:19:42 | hipaa-records | P-001 | block |
| 14:18:30 | data-platform | P-005 | warn |
| 14:17:08 | billing-svc | P-003 | warn |
| 14:15:55 | infra-tf | P-001 | block |
Don't trust us.
Verify us.
Every public event is Ed25519-signed against the org's own key and chained to its predecessor. Paste any SentrAI proof URL — you'll get an independent yes-or-no in one round trip. No account, no SDK, no dashboard.
curl -X POST https://sentr-ai.lovable.app/api/public/verify/event \
-H 'content-type: application/json' \
-d '{"public_slug":"<slug>","event_id":"<uuid>"}'curl https://sentr-ai.lovable.app/.well-known/sentrai/<slug>/keys.json
<img src="https://sentr-ai.lovable.app/proof/<slug>/<uuid>/badge.svg" alt="SentrAI verified" />
Built to pass enterprise security review.
SCIM-friendly identity model, role-based access from day one.
Per-org data partitioning. No cross-tenant queries by construction.
GitHub webhook signature verification on every event.
AES-256 storage, KMS-managed keys, secrets never in code.
Append-only audit store with hash-chained entries.
Per-tenant retention windows. Right-to-delete respected.

Ship AI safely.
Prove it on paper.
We're onboarding a small cohort of design partners. 30-minute pilot, GitHub-only, your security team in the room.