ProvenanceCode Use cases Governed coding agent

⌨ Coding Agent Governance

Cursor writes the code. ProvenanceCode decides what ships.

AI coding agents like Cursor are producing code at unprecedented speed. Policy Gateway intercepts every consequential action — file writes, git commits, dependency changes, deployment triggers — evaluates them against your policy, and routes high-risk changes to a named human before they execute. Every decision recorded.

Request a pilot → See DevOps use case →

cursor → policy-gateway · intercept

// Cursor attempts to push to main...

action: "git.push"
branch: "main"
files: ["auth/middleware.ts", "api/payments.ts"]
diff_size: +847 / -12 lines

→ risk factors detected:
auth/ path touched
payments/ path touched
no DEO decision record found
risk_level: HIGH

✗ push blocked
→ DEO required for auth + payments changes
→ Verity: create decision record to proceed

How it works

From Cursor prompt to governed commit.

Developer prompts Cursor

Developer asks Cursor to implement a feature — "add rate limiting to the payments API." Cursor plans the changes across multiple files including auth middleware, payment routes, and database schema.

// Cursor intent
task: "Add rate limiting to payments API"
files_planned: ["auth/", "api/payments.ts", "db/migrations/"]

ProvenanceCode intercepts before commit

Policy Gateway evaluates the planned changeset. Auth paths + payment paths = HIGH risk. The commit is held. Cursor is told it needs a Decision Evidence Object (DEO) before this change can proceed.

HIGH risk · DEO required

Verity generates the decision record

The developer uses Verity to create a DEO — a structured record capturing the intent, the options considered, the chosen approach, the risk acknowledgement, and the rationale. This record lives in the repo alongside the code.

decisions/2026-04-25-rate-limiting/
├─ decision.json ← machine-readable
├─ decision.md ← human narrative
└─ acceptance.receipt.json ← signed

Named reviewer approves in PR

The PR is automatically labelled with the risk classification. The reviewer sees the DEO alongside the diff — intent, options considered, risk acknowledgement. They approve with their identity recorded and timestamped.

Approved · named reviewer · timestamp sealed

Commit proceeds · provenance record sealed

Policy Gateway validates the signed receipt, confirms the DEO covers the changeset, and permits the commit. The provenance chain is sealed — the decision, the code change, and the approval are cryptographically linked. Institutional memory is created.

Commit merged · provenance chain sealed · SIEM logged

Why teams use this

What governed coding agents give you.

🧠

Institutional memory

Every significant AI-assisted decision lives in the repo. Six months later, when someone asks "why was auth structured this way?" — the DEO answers it. The AI and the human reasoning are both recorded.

🛡️

Audit-ready from day one

SOC 2, ISO 27001, and an increasing number of enterprise procurement requirements ask: "how do you govern AI-generated code?" The DEO trail is your answer — structured, queryable, tamper-evident.

⚡️

Speed for low-risk changes

CSS tweaks, copy changes, test additions — low-risk changes flow through without gates. Governance overhead is proportional. Developers aren't slowed down on routine tasks.

📋

EU AI Act alignment

For teams building high-risk AI systems, the DEO provides the documentation trail that Art. 9 and Art. 12 require — without creating a separate compliance workflow outside the development process.

🔗

Cursor-native workflow

Policy Gateway integrates at the git layer. Cursor continues to write code as normal. ProvenanceCode intercepts at the commit/push boundary — developers don't change how they work with Cursor.

👤

AI attribution built in

Every DEO records which AI assistant was involved, what it proposed, and what the human decided. The record distinguishes human judgment from AI output — exactly what regulators and insurers are beginning to require.

Integration architecture

How Cursor + ProvenanceCode fits your stack.

What ProvenanceCode adds to Cursor

Git hook

Pre-commit evaluation of every changeset against policy rules

CI gate

PR check that blocks merge until DEO requirements are met

Verity

Developer tool to create DEOs inline with development workflow

Policy rules

YAML config defining which paths require DEOs (e.g. auth/, payments/)

Provenance chain

Cryptographic link between decision, code change, and approval

What stays exactly the same

Cursor

Writes code exactly as before. No change to how developers interact with Cursor.

Git workflow

Standard branch → PR → review → merge. ProvenanceCode adds a layer at PR, not a new workflow.

Code review

Reviewers see the same diff — plus the DEO alongside it for context.

CI/CD pipeline

No pipeline changes beyond adding the ProvenanceCode check as a required status.

Low-risk changes

Flow through with zero friction. Policy Gateway is invisible for routine commits.

Now available · Verity

Governed coding agent? That's exactly what Verity is built for.

Verity is ProvenanceCode's dedicated Git-layer product for AI-generated code governance. PR gating, DEO signing, ISO 42001 policy — directly in your GitHub workflow. No infrastructure to run.

See Verity → How it works →

Get started

Governed AI coding in your stack.

We're working with a small number of engineering teams on pilot deployments. Tell us about your Cursor usage and your codebase governance requirements.

Request pilot →

Also works with GitHub Copilot, Windsurf, and any AI coding assistant that operates at the file/git layer.