One signed evidence. Many decision reports.
Every scan becomes a signed CAI evidence package — dated, Ed25519-signed, tamper-evident, reproducible by us. The evidence is the raw material; the decision reports built on top are what you pay for. This is the conceptual heart of Assay.
A sample evidence artifact — dated, signed, verifiable. Not editable by the party who shares it.
From a seller's scan to your decision.
The typical path — a supplier who wants to sell proves their code, and you decide on the evidence.
Seller scans
The supplier scans their codebase on Watchdog. The first scan on every repo is free — so there's no excuse not to have evidence.
Watchdog signs
The result is issued as a dated, Ed25519-signed CAI evidence package — tamper-evident and pinned to a commit and a rubric version.
Seller shares
The supplier explicitly grants you access. Consent is built in — they want to be assessed.
You get a free copy
The shared evidence costs you nothing — and you can verify it's genuine against the signature and the reproducible fingerprint.
Reports are paid
You (or the seller) pay only for the decision reports built on top: consequences, due diligence, tender verification, compliance.
- Seller's repothe supplier scans on Watchdog — the first scan is free
- Watchdog measures & signsone reproducible CAI, pinned to a commit and a frozen rubric
- The registry holdsa dated, Ed25519-signed delivery — verifiable, not editable by the sharer
- Assay decidesconsequences, due diligence, tender, compliance — reports on top of the evidence
The evidence exists once, signed — every decision report is built on top of it. Verify any package on cai.canine.dev/verify.
There are two ways in — both end at the same place.
Whichever door you enter, you end with paid decision reports on top of a signed evidence package.
The seller shares
A company that wants to sell its software (or itself) scans and shares the evidence voluntarily. Consent is built in — they want to be assessed. You receive a free, verifiable copy and commission the reports you need.
You bring access
You're assessing a cooperative target — a supplier under contract, an acquisition with a signed LOI — and bring access to the code yourself. Assay collects the evidence for the engagement, and the reports are built on top.
One evidence → many reports.
The same signed evidence can carry different decision reports for different parties — each paid for by whoever needs it. You never pay for the measurement twice.
The seller's win-proof
The supplier attaches a signed attestation to their bid — proof of quality no slide deck can match.
Contract appendix & attestation →Your consequences read
You get what the findings mean for you in plain language — value-at-risk, the risks to raise, what to do about them — before you commit.
Consequences report →An acquirer's DD dossier
An investor gets a data-room-ready due-diligence dossier from the same evidence — comparable from LOI to close.
Due-diligence dossier →Why can you trust a shared proof?
A seller can't polish their own result.
The evidence is signed and reproducible by us — not editable by whoever shares it. You verify the package against our signature and its reproducible fingerprint. The thing that makes the evidence shareable is exactly the thing that makes it credible: the independence is built in.
The rubric can be frozen for the deal.
Pin the rubric at the letter of intent and every reading from LOI to close is scored against the same fixed yardstick — the same commit re-scores to the same number, so any movement you see is the asset changing, never the ruler. CAI 71 at LOI, 71 in diligence, 76 at close means exactly what it says.
Bring a shared survey — or bring the repo.
Either way, the next step is a conversation about the decision you need to make.