Prooflane

The problem Modern companies change constantly: new services, refactors, repo settings, policies, vendors, and cloud configurations land every week. Traditional compliance snapshots go stale the moment something ships. A passing audit last quarter does not prove today’s access controls, change-management posture, logging, encryption, or policy coverage. Drift is normal. What teams lack is a repeatable way to re-measure controls against live systems and to show what was checked, when, and with what evidence, especially when customers and partners ask whether they are interacting with a security-conscious vendor.

Prooflane addresses that gap with policy-aligned compliance agents that inspect operational systems, cloud posture, source-control governance, and uploaded policy evidence, then publish a transparent record of what happened. GitHub and AWS are the first live integration surfaces, but the product is built around a broader principle: companies should be able to prove their current security posture with fresh checks, structured findings, and verifiable evidence instead of static claims.

The blockchain layer makes the system more transparent. Evidence bundles can be content-addressed and anchored through 0G, creating references that buyers, partners, and internal reviewers can inspect when they want confidence that a company’s published posture maps to real artifacts. Outputs support customer trust pages, internal governance, and security questionnaires. They complement qualified audits and counsel; they are not a substitute for formal certification.

---

What Prooflane delivers

Agents that track reality Compliance agents translate frameworks like SOC 2, GDPR, PCI DSS, and HIPAA into real-time checks on your infrastructure. Your compliance posture reflects what’s actually running today—not outdated spreadsheets.

Transparent assessments Every run is fully traceable. From integrations loading to control execution and report generation, each step is logged. Results are clearly marked as PASS, FAIL, or UNKNOWN with supporting evidence—no black-box scoring.

Verifiable evidence All evidence can be cryptographically anchored using content-derived hashes and 0G chain references, allowing third parties to independently verify your compliance posture with tamper-evident artifacts.

Multi-lens evaluations Run multiple compliance frameworks on the same control library. Each “lens” activates only the controls relevant to that standard, ensuring efficient and consistent assessments.

Live integrations Prooflane connects directly to your systems as sources of truth. Current integrations include GitHub (repo governance), AWS IAM, CloudTrail, S3, and uploaded policy documents.

Weighted readiness scoring Get a unified compliance score (0–100) based on PASS, FAIL, and UNKNOWN results, with detailed category-level breakdowns for deeper insights.

Evidence-driven reporting Every assessment produces structured JSON evidence, per-control results, and a clear executive summary grounded in actual findings—not assumptions.

Real-time progress visibility Operators can track assessments live with detailed logs, including integration status, control outcomes, and report generation stages.

Public trust surface Share your compliance posture through organization-level pages, helping customers and partners quickly understand and trust your security readiness.

Event-driven automation (Webhooks) Trigger compliance checks automatically from GitHub events (like pushes to protected branches), ensuring your compliance status evolves alongside your codebase.

---

How an assessment run works

1. Organization context. Prooflane loads company context, linked integrations, and policy artifacts. GitHub and AWS provide the current live system signals. Missing scopes surface as UNKNOWN where evidence cannot be collected.
2. Lens selection. You choose a framework lens (soc2, gdpr, pci, hipaa). The engine filters to controls that apply to that lens.
3. Evaluation. For each control, evaluators call GitHub or AWS APIs or analyze uploaded policy text. Results are PASS, FAIL, or UNKNOWN with human-readable messages and structured evidence payloads.
4. Evidence bundle. Results are serialized into a single bundle (run metadata, timestamps, per-control outcomes). The bundle is uploaded through 0G Storage when Galileo RPC, indexer, and wallet keys are configured. Uploads are content-addressed; a root hash and transaction hash tie the bundle to chain activity. If the network path does not complete within policy timeouts, the run still records a content fingerprint so scoring and reporting are never blocked.
5. Scoring. A weighted formula produces an overall readiness score and category-level statistics.
6. Report. A structured narrative is produced using configured 0G Compute (quickstart) or an OpenAI-compatible router. Output is grounded: model copy is merged with live metrics so scores and remediation items stay faithful to evaluation results.
7. Persistence. Reports, scores, hashes, and explorer links are stored on the compliance run for audit trails and UI display.

Control library (overview)

The product ships twelve technical controls across three domains:

• GitHub and change management: Branch protection, required reviews, status checks, CODEOWNERS, secret-pattern heuristics on tracked files.
• AWS and infrastructure: CloudTrail enablement, S3 encryption and public access posture, root account MFA and access keys, IAM password policy.
• Policies and governance: Presence and content signals for uploaded security and incident-response documents.

Controls carry framework tags (for example SOC 2, ISO 27001 themes, GDPR, PCI, HIPAA) so each agent lens maps measurable checks to the narrative customers, partners, and internal reviewers expect.

---

0G (decentralized infrastructure)

Prooflane integrates with 0G on Galileo testnet to make compliance evidence more transparent and independently inspectable:

1. 0G Storage. Evidence bundles are written through the official TypeScript SDK and indexer. Successful uploads yield a root hash and transaction hash used as tamper-evident references and explorer links (Galileo transaction URLs).
2. 0G Compute. Optional narrative generation uses the published compute quickstart (OpenAI-compatible proxy). Router credentials are supported as an alternative deployment pattern.

The result is a product experience where a company can present compliance posture with the underlying evidence trail, not just marketing language.

Environment variables and operational notes live in .env.example. Funding testnet wallets through the public faucet is required for storage fees and compute ledger usage.

---

Prooflane is built as an npm workspaces monorepo with a Next.js product UI, an Express API, and a shared TypeScript core package. The core contains the compliance agents, framework lens registry, control library, evaluators, weighted scoring, Prisma data access, evidence packaging, and report grounding. The web app handles onboarding, GitHub and AWS connection flows, compliance run launching, live progress logs, run history, detailed control views, and public trust pages. The API owns authentication-backed organization routes, integration persistence, compliance run queuing, and GitHub webhook triggers.

For data, we use PostgreSQL with Prisma models for users, organizations, integrations, policy documents, compliance runs, control results, progress logs, and reports. The run pipeline loads org context, filters controls by framework lens (SOC 2-oriented, GDPR, PCI DSS, HIPAA), executes GitHub/AWS/policy evaluators, serializes evidence, scores results, and writes a grounded executive report.

We used 0G as the transparency layer: 0G Storage anchors evidence bundles with root hashes and transaction references, while 0G Compute or an OpenAI-compatible router can generate narrative reports. A notable hack: the 0G storage indexer can lag after upload, so we added a timeout that records a content fingerprint and still completes scoring/reporting, preventing compliance runs from blocking forever while preserving the evidence trail.