Skip to content
How it works

One signed evidence. Many decision reports.

Every scan becomes a signed CAI evidence package — dated, Ed25519-signed, tamper-evident, reproducible by us. The evidence is the raw material; the decision reports built on top are what you pay for. This is the conceptual heart of Assay.

✓ Signed evidence
checkout-serviceby acmeAdequate
CAI62 / 100
Trend: improving (up 17) over the last 8 scans.
4562↑ +17
Code health68
Architecture55
Maturity63
Readiness52
Security71
Measured1 July 2026 · 4.2M lines
Reproducible fingerprinta3f9…e021
Shared with3 parties

A sample evidence artifact — dated, signed, verifiable. Not editable by the party who shares it.

The flow

From a seller's scan to your decision.

The typical path — a supplier who wants to sell proves their code, and you decide on the evidence.

Seller scans

The supplier scans their codebase on Watchdog. The first scan on every repo is free — so there's no excuse not to have evidence.

Watchdog signs

The result is issued as a dated, Ed25519-signed CAI evidence package — tamper-evident and pinned to a commit and a rubric version.

Seller shares

The supplier explicitly grants you access. Consent is built in — they want to be assessed.

You get a free copy

The shared evidence costs you nothing — and you can verify it's genuine against the signature and the reproducible fingerprint.

Reports are paid

You (or the seller) pay only for the decision reports built on top: consequences, due diligence, tender verification, compliance.

  1. Seller's repothe supplier scans on Watchdog — the first scan is free
  2. Watchdog measures & signsone reproducible CAI, pinned to a commit and a frozen rubric
  3. The registry holdsa dated, Ed25519-signed delivery — verifiable, not editable by the sharer
  4. Assay decidesconsequences, due diligence, tender, compliance — reports on top of the evidence

The evidence exists once, signed — every decision report is built on top of it. Verify any package on cai.canine.dev/verify.

Two entry flows

There are two ways in — both end at the same place.

Whichever door you enter, you end with paid decision reports on top of a signed evidence package.

Entry A

The seller shares

A company that wants to sell its software (or itself) scans and shares the evidence voluntarily. Consent is built in — they want to be assessed. You receive a free, verifiable copy and commission the reports you need.

Entry B

You bring access

You're assessing a cooperative target — a supplier under contract, an acquisition with a signed LOI — and bring access to the code yourself. Assay collects the evidence for the engagement, and the reports are built on top.

The business model

One evidence → many reports.

The same signed evidence can carry different decision reports for different parties — each paid for by whoever needs it. You never pay for the measurement twice.

The seller's win-proof

The supplier attaches a signed attestation to their bid — proof of quality no slide deck can match.

Contract appendix & attestation →

Your consequences read

You get what the findings mean for you in plain language — value-at-risk, the risks to raise, what to do about them — before you commit.

Consequences report →

An acquirer's DD dossier

An investor gets a data-room-ready due-diligence dossier from the same evidence — comparable from LOI to close.

Due-diligence dossier →
The trust invariant

Why can you trust a shared proof?

Signed by us, not the sharer

A seller can't polish their own result.

The evidence is signed and reproducible by us — not editable by whoever shares it. You verify the package against our signature and its reproducible fingerprint. The thing that makes the evidence shareable is exactly the thing that makes it credible: the independence is built in.

No moving goalposts

The rubric can be frozen for the deal.

Pin the rubric at the letter of intent and every reading from LOI to close is scored against the same fixed yardstick — the same commit re-scores to the same number, so any movement you see is the asset changing, never the ruler. CAI 71 at LOI, 71 in diligence, 76 at close means exactly what it says.

Don't take our word for it eitherThe CAI is an open standard: the algorithm, the lenses and the rubric are public, and the reference scorer is open source. Run it over the evidence yourself — or have your own advisors do it — at cai.canine.dev/verify. The registry of signed deliveries lives at cai.canine.dev/registry.

Bring a shared survey — or bring the repo.

Either way, the next step is a conversation about the decision you need to make.