Code verification tied to approved intent.
Requirements from design review and threat modeling are tracked through implementation and validated against pull requests with attached evidence.
Requirements that stay attached to delivery.
Verification status updates as code evolves, giving teams a shared view of what is unresolved, partially complete, and fully verified.
crypto/hmac · crypto/sha256. Store the HMAC signing key in Secrets Manager; rotate every 90 days. Retain records per the 7-year compliance policy, soft-archival only.Decisions backed by implementation evidence.
Each requirement includes expected implementation evidence, and verification reruns as code changes to keep decisions current.
Close the loop from approved intent to merged code.
Bi-directional traceability
Each requirement links to its source finding, PRs, and Jira tickets.
Four states, continuously updated
Pending fix, missing, partial, and verified, updated automatically as PRs merge.
Reference implementations
The agent specifies the libraries, config and code shape it expects, then checks the real diff against it.
Run on demand
Trigger verification per requirement, or let it re-evaluate continuously as code lands.
Export & report
Filter by source, app or component; export the queue as CSV for evidence.
Webhook-native
PR activity flows in over webhooks, no polling, no manual status updates.