🛡️

Integrity Gate

Documentation

Install, configure, and verify with Integrity Gate.

Service: Integrity Gate v5.0 / QCM/2 · Backend: integrity-gate.epochcoreras.workers.dev

1. Install & uninstall

Install

1. Visit the GitHub Marketplace listing.
2. Click Add and choose the account or organization.
3. Select repositories — either All repositories or specific ones. The Free tier is limited to public repositories (see Free-tier limits).
4. Review the requested permissions (see below) and confirm the install.

Uninstall

1. Open GitHub Settings → Applications → Installed GitHub Apps.
2. Find Integrity Gate and click Configure.
3. Scroll to the bottom and click Uninstall.

Your data is deleted within 30 days per the Privacy Policy. Verification logs are retained for 90 days.

2. GitHub App permissions

Permission	Access	Why it’s needed
Contents	Read	Read file paths and commit SHAs to compute integrity hashes.
Metadata	Read	Standard GitHub App requirement — lists repositories the app is installed on.
Pull requests	Read & write	Post commit status checks and PR comments with verification results.
Checks	Read & write	Create check runs for AI provenance, contract diffs, and pipeline trust scores.
Actions	Read	Read workflow_run conclusions to feed SLSA scoring and pipeline anomaly detection.

3. Webhook events the app handles

Event	Trigger	What the app does
push	Any push to any branch	Computes BLAKE3 over each changed file path manifest + signs with the RAS root, writes a seal receipt to R2 bucket epochcore-genesis, posts a commit status check.
workflow_run	GitHub Actions workflow completes	Captures conclusion, duration, attempt count. Feeds the SLSA L1–L4 scorer and the pipeline anomaly detector (timing spikes, suspicious fast builds, streak breaks).
check_suite	Check suite created or completed	Aggregates per-commit check coverage, builds the 6-component trust score, posts a unified check run.
check_run	Individual check run state change	Updates SBOM coverage and artifact-signing telemetry per check.

4. API reference

The public API is hosted at https://integrity-gate.epochcoreras.workers.dev. Endpoints that mutate state require an API key in the X-API-Key header; read endpoints listed below are public.

Trinity (seal store)

GET/api/trinity/status

Returns the operational status of the seal pipeline, total seal count, coherence metrics, and last seal timestamp.

$ curl -s https://integrity-gate.epochcoreras.workers.dev/api/trinity/status
{
  "system": "Trinity Flash Sync",
  "version": "QCM/1",
  "stats": {
    "total_seals": 926,
    "avg_coherence": 0.9997296989740821,
    "min_coherence": 0.74999925,
    "max_coherence": "1.0000_ABSOLUTE",
    "high_coherence_count": 925,
    "last_seal_time": "2025-12-11 21:37:38"
  },
  "status": "OPERATIONAL",
  "r2_bucket": "epochcore-genesis"
}

GET/api/trinity/r2/list — list seal object keys in the R2 bucket.

GET/api/trinity/r2/stats — aggregate object counts and bucket size.

POST/api/trinity/r2/sync — trigger an out-of-band reconcile (requires X-API-Key).

Seal and verify

GET/api/seal/:id

Retrieve a seal by its ID. Returns the BLAKE3 hash, RAS signature, coherence value, and the commit SHA it was minted for.

GET/api/verify/:hash

Verify a hash against the seal store. Returns 200 OK with the seal record if the hash matches a known seal, 404 if not.

GitHub App

POST/api/github/webhook — GitHub-only. HMAC-SHA256 verified.

GET/api/github/status — installation health summary.

GET/api/github/installations — list installation IDs the app is currently active on.

5. Free-tier limits

Resource	Free	What happens at the cap
Seals per month	100	New push events are accepted but not sealed — commit status posts an at-cap advisory.
Verifications per month	1,000	/api/verify/:hash returns HTTP 429 with a Retry-After header set to the next reset.
Repository visibility	Public only	Private repositories are silently skipped on the Free tier.
Support	Community	Discord and GitHub Issues; no SLA on response time.

See the pricing section on the home page for Pro and Enterprise tiers (unlimited repos, blocking enforcement, priority support).

6. Compliance posture

Integrity Gate is designed to support evidence packs for the following frameworks. These statements describe what the system is built to support — not a certification claim. Pilot artifacts and SOC-2-ready evidence are available on request.

• SOC 2 Type II — designed to support Security, Availability, and Confidentiality criteria. Verification logs retained 90 days; access via R2 object listing.
• GDPR Art. 30 — designed to support the processing record requirement. EpochCore acts as data processor; data inventory in the Privacy Policy.
• FINRA Rule 17a-4(f) — designed to support write-once retention via the R2 archival tier with object lock.
• SLSA L1–L4 — the pipeline trust scorer issues a SLSA level per workflow_run conclusion. L4 requires reproducible builds (customer responsibility).
• SBOM (CycloneDX 1.5 & SPDX 2.3) — generated per workflow_run on supported lockfile changes (npm, pip, Go, Cargo, Maven).
• California SB-942 / EU AI Act — AI provenance attestations carry the disclosure metadata both regimes require.

7. Troubleshooting

The app installed but no commit status checks appear

Confirm the webhook is reaching the backend — check https://integrity-gate.epochcoreras.workers.dev/api/github/installations and look for your installation ID. If it’s missing, reinstall the app from the Marketplace listing.

Verification returns HTTP 429

You’ve hit the Free-tier verification cap (1,000/month). Wait for the next monthly reset (Retry-After header indicates when) or upgrade.

I see seals being created but coherence is low

Coherence below 0.999 typically indicates a partial manifest — usually caused by binary files larger than the per-file limit being skipped. The seal is still valid for the files it covered; check the seal’s skipped_paths field via GET /api/seal/:id.

Need help?

Contact support@epochcore.com or open an issue on the Marketplace listing. See also Support.

← Back to Home