Run a cold governance audit against the repo before you pitch the SDK.

The point is not to produce a generic scanner score. The point is to show exposed paths, review-required surfaces, missing control layers and one exact integration patch that moves the repo toward NORNR.

Open control room Open tools

Best fit A team already has code, public examples or a working agent repo and needs evidence of where consequential execution already escapes review.

The audit should sell insight plus risk proof first. NORNR comes in as the exact control layer that closes the exposed lane.

Exposed paths Find LLM spend, tool execution, vendor actions, billing mutations, transfers and irreversible shell effects.

Control gaps Name the missing review, counterparty scope, packet or finance-survival layer.

Patch Recommend one concrete integration patch instead of a vague “secure your agent” memo.

Output shape

The audit should produce one sharp report, not another generic score.

If it cannot name the lane, the missing control and the next patch, it is still too generic to sell NORNR.

1 / Exposed paths

Show the consequential code paths first

List the code locations where provider spend, tool authority, vendor actions, billing changes, transfers or irreversible shell effects already exist.

2 / Recommended NORNR controls

Name the missing layer coldly

Each finding should state what NORNR would enforce there: intent, review, counterparty scope, packet survival or finance-safe export.

3 / Exact integration patch

Recommend one patch path that can actually be built this week

The point of the audit is to make the first NORNR lane obvious enough that a buyer or engineer can move immediately.

GitHub URL in

Paste one public GitHub repo and get the first audit report out.

This is the sales-engineering wedge version: one repo URL in, one named NORNR audit out, one patch path forward.

Public repo audit

Paste a public GitHub repo to produce the first report.

Audit output

No report yet

The returned audit will name the repo, the high-risk exposures and the missing NORNR layers.

Top findings

The first report should show exposed paths, not a generic score.

Markdown report

markdown

# NORNR Governance Audit

Paste a public GitHub repo URL above to generate the first report.

CLI

Start with one local repo, one path set or one GitHub URL.

The page and CLI run the same audit motor, so outbound scans and internal analysis do not drift.

Audit repo

bash

npm run audit:governance -- --root . --output reports/governance-audit.md

Audit specific surfaces

bash

npm run audit:governance -- apps/api packages/sdk-py --max-findings 12

JSON output

bash

npm run audit:governance -- --format json

Audit public GitHub repo

bash

npm run audit:governance -- --github https://github.com/owner/repo --max-findings 8

Run a cold governance audit against the repo before you pitch the SDK.

The audit should produce one sharp report, not another generic score.

Show the consequential code paths first

Name the missing layer coldly

Recommend one patch path that can actually be built this week

Paste one public GitHub repo and get the first audit report out.

No report yet

Start with one local repo, one path set or one GitHub URL.

Use the audit to open one named NORNR lane, not to generate more generic security theater.