Ovyero is the governance and audit layer for AI working with your codebase. Every AI-generated commit gets reviewed before it lands. Pass, warn, block, or override: every decision is logged in a permanent audit trail. You ship faster with AI, and you can still answer for what it did. Free forever for one developer.
jwt.sign() uses a short hardcoded string. Move secret to env var and use 256-bit minimum. See rule AUTH-007.
Watch Haylo review it. Every line. Policy, secrets, drift, all checked. Every verdict signed and logged.
A pre-commit hook sends the file to the critic layer. Critics run in parallel and return a verdict. The verdict is signed and appended to a hash-chained audit log. No LLM calls. No external data.
A git hook runs before your commit is created. It sends the changed file content to the critic server. Takes under 10ms to dispatch.
14 domain critics run in parallel: crypto, secrets, OWASP, supply-chain, auth, compliance, privacy, LLM safety, and more. Pattern-based, deterministic.
The server returns a verdict with the rule ID, a plain-English fix, and the domain that flagged it. GATE blocks the commit. WARN logs it and lets through. PASS is silent.
Every verdict is signed with a key bound to your account and appended to a hash-chained log. Tamper-evident. Exportable. Verifiable offline with ovyero verify.
AI assistants don't know your security policies or compliance posture. Ovyero looks for the fingerprints those mistakes leave in the code. Same file in, same verdict out, every time.
Catches hardcoded API keys, MD5/SHA1 usage, hardcoded IVs, and Math.random() used for tokens. AI pulls these patterns from training data full of textbook insecure examples.
signToken(). Replace with SHA-256.SQL concatenation into queries, eval(userInput), command injection via shell exec. These show up constantly in AI-generated code and are easy to miss in a busy PR.
Unpinned dependency versions, missing lockfiles, packages flagged for known CVEs. AI recommends packages by popularity and training data recency, not by current vulnerability status.
lodash unpinned. Pin to an exact version in package.json.Hardcoded JWT secrets, weak signing algorithms, OAuth scope misconfigurations, missing httpOnly on session cookies. Auth bugs are cheap at commit time and expensive after deployment.
jwt.sign() uses a hardcoded string. Move to a 256-bit env var.Plus data & privacy, LLM governance, infra & config, observability, and compliance risk patterns. See FAQ for how critics work.
Every governance decision is deterministic. Same file in, same verdict out. You can audit why a commit was blocked without trusting a model's judgment.
Critics are code, not models. md5( in a crypto file is always a flag. No hallucinations, no false negatives from a bad prompt day. The rule either matches or it doesn't.
The critic server runs your patterns locally. No call to a third-party LLM on every commit. Verdicts come back in under 500ms. Your git workflow doesn't notice.
Every verdict is hash-chained. Run ovyero verify and get a pass/fail on the chain's integrity. No black box. No vendor trust required. The log is yours.
Ovyero governance is triggered by git, not by your AI assistant. Copilot, Cursor, Claude Code, or none of them: whatever wrote the code, the same critic layer runs before it lands.
Ovyero is free forever for one developer. Pay for Pro only if you want to back the project. Teams pay per seat.
Everything in the product, free forever for one developer. After the 30-day trial you stay on Free, no credit card.
The whole product, for one developer. No credit card, ever.
Same product as Free. Pay only if you want to back the project.
$29/mo includes the admin seat, then $12 for each additional developer.
Regulated orgs and larger teams. Compliance-ready audit trail.
Verdicts come back in about a second. Most engineers don't notice it ran. They only notice when something needs fixing.
Mostly deterministic. That means pattern matching, AST analysis, and schema validation. A few rules use an LLM as a judge (clearly labeled as such). The deterministic rules give the same verdict for the same input, every time.
Source transits our server only during critic evaluation. It is not retained on disk, in databases, in backups, or in our audit log. Only verdict metadata (rule ID, file path, severity) is persisted.
Not yet. The rule set is curated and maintained by us. Custom rule authoring is on the roadmap (see projected pricing). For now, you tune which domains run via your project type.
Language-agnostic where rules are pattern- or AST-based, so it works on any text-based source. Some domains are language-specific, most apply broadly.
For genuine emergencies there's a bypass flag, and every use of it is recorded in the audit log. No silent skips.
Where this is going
Ovyero today catches the structural mistakes that have a known fingerprint. Ovyero tomorrow governs every layer of autonomous AI computation: generation, execution, memory, deployment. The critic mesh and audit chain you're using now are the foundation of that system.