How it works
One signed evidence. Many decision reports.
Every scan becomes a signed CAI evidence package — dated, Ed25519-signed, tamper-evident, reproducible by us. The evidence is the raw material; the decision reports built on top are what you pay for. This is the conceptual heart of Assay.
The flow
From a seller's scan to your decision.
The typical path — a supplier who wants to sell proves their code, and you decide on the evidence.
Seller scans
The supplier scans their codebase on Watchdog. The first scan on every repo is free — so there's no excuse not to have evidence.
Watchdog signs
The result is issued as a dated, Ed25519-signed CAI evidence package — tamper-evident and pinned to a commit and a rubric version.
Seller shares
The supplier explicitly grants you access. Consent is built in — they want to be assessed.
You get a free copy
The shared evidence costs you nothing — and you can verify it's genuine against the signature and the reproducible fingerprint.
Reports are paid
You (or the seller) pay only for the decision reports built on top: consequences, due diligence, tender verification, compliance.
Two entry flows
There are two ways in — both end at the same place.
Whichever door you enter, you end with paid decision reports on top of a signed evidence package.
Entry A
The seller shares
A company that wants to sell its software (or itself) scans and shares the evidence voluntarily. Consent is built in — they want to be assessed. You receive a free, verifiable copy and commission the reports you need.
Entry B
You bring access
You're assessing a cooperative target — a supplier under contract, an acquisition with a signed LOI — and bring access to the code yourself. Assay collects the evidence for the engagement, and the reports are built on top.
The business model
One evidence → many reports.
The same signed evidence can carry different decision reports for different parties — each paid for by whoever needs it. You never pay for the measurement twice.
The seller's win-proof
The supplier attaches a signed attestation to their bid — proof of quality no slide deck can match.
Your consequences read
You get what the findings mean for you in plain language — value-at-risk, the risks to raise, what to do about them — before you commit.
An acquirer's DD dossier
An investor gets a data-room-ready due-diligence dossier from the same evidence — comparable from LOI to close.
The trust invariant
Why can you trust a shared proof?
Signed by us, not the sharer
A seller can't polish their own result.
The evidence is signed and reproducible by us — not editable by whoever shares it. You verify the package against our signature and its reproducible fingerprint. The thing that makes the evidence shareable is exactly the thing that makes it credible: the independence is built in.
No moving goalposts
The rubric can be frozen for the deal.
Pin the rubric at the letter of intent and every reading from LOI to close is scored against the same fixed yardstick — the same commit re-scores to the same number, so any movement you see is the asset changing, never the ruler. CAI 71 at LOI, 71 in diligence, 76 at close means exactly what it says.
Don't take our word for it either
The CAI is an open standard: the algorithm, the lenses and the rubric are public, and the reference scorer is open source. Run it over the evidence yourself — or have your own advisors do it — at cai.canine.dev/verify. The registry of signed deliveries lives at cai.canine.dev/registry.
Bring a shared survey — or bring the repo.
Either way, the next step is a conversation about the decision you need to make.