NORNR / Governance audit

Repo audit wedge

Paste one repo and get the first calm review boundary plus the exact patch path.

The point is not to produce another scanner score. The point is to show where consequential agent intent already escapes review, where mandate and counterparty posture are too weak to defend, then hand back one buyer-safe first move, one exact file to touch and one install path that can ship now.

Run GitHub audit Open PR guardrail next

Best fit A team already has code, public examples or a working agent repo and needs evidence of where consequential execution already escapes review.

The audit should sell visibility and risk proof first. NORNR comes in as the exact control layer that turns the exposed path into one policy decision, one next owner action and one surviving audit export after the path is legible.

Exposed paths Find LLM spend, tool execution, vendor actions, billing mutations, transfers and irreversible shell effects.

Control gaps Name the missing review, counterparty scope, packet or finance-survival layer.

Patch Recommend one concrete first patch instead of a vague “secure your agent” memo.

Preferred public path

This should be the first NORNR page a technical buyer touches after visibility-first discovery.

Shadow discovery first, audit second, install third, widen into the right lane fourth, then carry the same lane into evidence once the buyer is warm.

0 / Discovery

Use visibility-first framing before you ask for an install

Lead with hidden agent or provider spend escaping review. Let Governance Audit turn that visibility into one repo-specific recommendation.

1 / Audit

Show the exposed path in their repo

Start cold with one public GitHub URL and one report that names the missing NORNR layer precisely.

2 / Install

Use Budget Shield as the first install-first proof

Once the repo risk is legible, put NORNR in the pull request so the team sees the control story before merge.

3 / Lane

Choose wrappers, browser governance or MCP based on where the risk lives

Provider spend should usually go to wrappers first. Browser-visible vendor actions should usually go to browser governance first. Local tool authority should usually go to MCP and Cursor rules first.

4 / Proof

Carry the same lane into monthly memo and artifact proof

When the buyer is warm, the same governed lane should survive into audit memo, bundle and verifier-readable manifest.

Output shape

The audit should produce one exact first move, not another generic report.

If it cannot name the lane, the missing review boundary, the first file to touch and the next install path, it is still too generic to sell NORNR.

1 / Exposed paths

Show the consequential code paths first

List the code locations where provider spend, tool authority, vendor actions, billing changes, transfers or irreversible shell effects already exist.

2 / Recommended NORNR controls

Name the missing layer coldly

Each finding should state what NORNR would enforce there: intent, mandate, policy decision, counterparty scope, packet survival or finance-safe audit export.

3 / Exact integration patch

Recommend one patch path that can actually be built this week

The point of the audit is to make the first NORNR lane obvious enough that a buyer or engineer can move immediately, not book a meeting to decode it.

GitHub URL in

Paste one public GitHub repo and get the first patch machine out.

This is the wedge version: one repo URL in, one named NORNR path out, one first patch forward.

Public repo audit

Paste a public GitHub repo to produce the first path, first patch and first install recommendation.

No audit running.

Exact first patch

No first patch yet

Run the audit to get one exact file, one exact first edit, one PR-ready body and one narrow install path.

What we saw

The first consequential path will appear here after the audit.

Exact first patch

Run the audit to get the exact first file and edit.

First edit

The audit will name the first calm edit once the path is clear.

Owner + reviewer

The audit will suggest who should own and review the first patch.

PR-ready body

The audit will generate a PR body once the path is clear.

First install

The audit will recommend one calm boundary once the path is ranked.

What comes after

The audit will name the next patch after the first calm boundary is live.

Audit output

No report yet

The returned audit will name the repo, the first consequential path and the missing NORNR review boundary.

The first useful audit should end with one buyer-safe sentence and one exact NORNR lane.

Grouped conclusions

The first useful audit should collapse raw findings into 2-3 named NORNR lanes.

Priority findings

The first report should show exposed paths, not a generic score.

Audit packet

Recommended lane No lane yet

Run an audit to get one exact install recommendation.

Outreach summary

The page will generate a copyable outreach snippet after the first report.

Saved packet

Run an audit and save an immutable packet to compare future passes against.

Audience modes

The packet will tailor the same audit for founders, engineering leads, security/ops and builders.

Install bundle

Move straight from repo risk into one pull-request guardrail.

Run an audit first. The page will then generate a ready workflow, a local config and one patch path you can ship now.

Open install page Apply with this repo lane

.github/workflows/nornr-budget-shield.yml

yaml

name: NORNR Budget Shield

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
  issues: write
  pull-requests: write

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: NORNR/nornr-budget-shield@v1
        with:
          severity: review-first

.nornr-pr-audit.json

json

{
  "severity": "review-first",
  "exclude": ["tests/", "docs/"],
  "rules": []
}

Pilot motion

Turn the repo result into one lane review.

The exact next move after one useful audit should be narrow: install one calm boundary, keep one defended record, then apply with the same lane instead of booking a vague demo.

Open proof packet Apply with this repo lane

Markdown report

markdown

# NORNR Governance Audit

Paste a public GitHub repo URL above to generate the first report.

External proof pack

Use real repos, real PR comments and real before/after install surfaces.

This is the proof library that makes Governance Audit easier to send. Show one repo, one comment and one exact install path instead of asking people to imagine the PR guardrail.

Demo repo / install-first

NORNR Budget Shield demo repo

Before: no PR-level control story. After: one review-first comment on a real pull request.

Open repo · Open demo PR

Real comment / mixed surfaces

NORNR MCP control demo pull request

Before: MCP, provider and payment surfaces entered the repo silently. After: one NORNR PR audit comment names the mixed consequential paths clearly.

Open PR · Open comment

Action repo / public install

Standalone action with release and Marketplace surface

Before: internal monorepo action. After: public install surface with versioned releases, screenshot proof and one-line setup.

Open action repo · Open Marketplace

Screenshot proof / comment shape

Use the actual comment, not a mocked card

The screenshot in the public action repo shows the exact review-first comment teams will see before merge.

Open screenshot · Open install guide

Browser proof / consequential click

Browser-visible consequence should still route into the same NORNR control model

Use the browser governance package when the risky moment is checkout, vendor confirmation, subscription change or an admin click that should never settle as ambient automation.

Open browser governance · Open discovery wedge

CLI

Start with one local repo, one path set or one GitHub URL.

The page and CLI run the same audit motor, so outbound scans and internal analysis do not drift.

Audit repo

bash

npm run audit:governance -- --root . --output reports/governance-audit.md

Audit specific surfaces

bash

npm run audit:governance -- apps/api packages/sdk-py --max-findings 12

JSON output

bash

npm run audit:governance -- --format json --output reports/governance-audit.json

Printable packet

bash

npm run audit:governance -- --format html --output reports/governance-audit.html

Audit public GitHub repo

bash

npm run audit:governance -- --github https://github.com/owner/repo --max-findings 8

Paste one repo and get the first calm review boundary plus the exact patch path.

This should be the first NORNR page a technical buyer touches after visibility-first discovery.

Use visibility-first framing before you ask for an install

Show the exposed path in their repo

Use Budget Shield as the first install-first proof

Choose wrappers, browser governance or MCP based on where the risk lives

Carry the same lane into monthly memo and artifact proof

The audit should produce one exact first move, not another generic report.

Show the consequential code paths first

Name the missing layer coldly

Recommend one patch path that can actually be built this week

Paste one public GitHub repo and get the first patch machine out.

No first patch yet

No report yet

Move straight from repo risk into one pull-request guardrail.

Turn the repo result into one lane review.

Use real repos, real PR comments and real before/after install surfaces.

NORNR Budget Shield demo repo

NORNR MCP control demo pull request

Standalone action with release and Marketplace surface

Use the actual comment, not a mocked card

Browser-visible consequence should still route into the same NORNR control model

Start with one local repo, one path set or one GitHub URL.

Use the audit to open one named NORNR lane, then keep the same lane alive through install, runtime and evidence.