Metadata-Version: 2.4
Name: mergeguide
Version: 2.1.2rc4
Summary: AI governance platform — policy enforcement for AI-assisted development. Four enforcement layers (IDE, MCP, Git hooks, PR Gate), 900+ detection rules, 24 compliance frameworks, 15 languages.
Author: Chuck McWhirter, MergeGuide, Inc.
License: Proprietary
Project-URL: Homepage, https://mergeguide.ai
Project-URL: Documentation, https://docs.mergeguide.ai
Project-URL: Repository, https://github.com/MergeGuide/mergeguide
Project-URL: Issues, https://github.com/MergeGuide/mergeguide/issues
Keywords: ai-governance,policy-enforcement,security,compliance,mergeguide,sast,devsecops,mcp
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: Other/Proprietary License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Requires-Python: >=3.11
Description-Content-Type: text/markdown
Requires-Dist: pyyaml>=6.0.0
Requires-Dist: jsonschema>=4.21.0
Requires-Dist: sarif-om>=1.0.4
Requires-Dist: httpx>=0.26.0
Requires-Dist: boto3>=1.34.0
Requires-Dist: click>=8.1.0
Requires-Dist: rich>=13.7.0
Requires-Dist: PyJWT>=2.8.0
Requires-Dist: cryptography>=41.0.0
Requires-Dist: defusedxml>=0.7.0
Requires-Dist: semgrep<2.0.0,>=1.50.0
Requires-Dist: rfc8785>=0.1.2
Provides-Extra: semgrep
Requires-Dist: semgrep<2.0.0,>=1.50.0; extra == "semgrep"
Provides-Extra: cdk
Requires-Dist: aws-cdk-lib<2.254.0,>=2.238.0; extra == "cdk"
Requires-Dist: constructs>=10.3.0; extra == "cdk"
Provides-Extra: lite
Provides-Extra: dev
Requires-Dist: pytest>=8.0.0; extra == "dev"
Requires-Dist: pytest-cov>=4.1.0; extra == "dev"
Requires-Dist: pytest-asyncio>=0.23.0; extra == "dev"
Requires-Dist: ruff>=0.2.0; extra == "dev"
Requires-Dist: mypy>=1.8.0; extra == "dev"
Requires-Dist: black>=24.1.0; extra == "dev"
Requires-Dist: types-PyYAML>=6.0.0; extra == "dev"
Requires-Dist: types-requests>=2.31.0; extra == "dev"
Requires-Dist: boto3-stubs[dynamodb,lambda,s3,secretsmanager]>=1.34.0; extra == "dev"
Requires-Dist: python-dotenv>=1.0.0; extra == "dev"
Requires-Dist: watchdog>=4.0.0; extra == "dev"

# MergeGuide

**AI Velocity. Enterprise Governance.**

MergeGuide is the AI governance platform for enterprise development. We embed policy enforcement directly into the tools developers already use — IDE, AI assistants, Git hooks, and pull requests — so organizations get both AI velocity and enterprise governance.

## Why MergeGuide

AI coding assistants now generate nearly half the code in files where they're active. That velocity is extraordinary — and it's creating a governance problem that traditional security tools were never designed to solve.

MergeGuide is the third option between "allow AI freely and accept the risk" and "restrict AI and fall behind." Governance that enables AI rather than restricting it.

## Four Enforcement Layers

MergeGuide validates every code change — whether written by humans or AI — against your organization's security and compliance policies across four graduated layers:

1. **IDE** — Real-time detection rule feedback as code is written (VS Code extension)
2. **MCP** — Policy injection into AI assistants before code is generated (Model Context Protocol)
3. **Git Hooks** — Pre-commit validation before code leaves the developer's machine
4. **PR Gate** — Server-side enforcement at merge with tamper-evident evidence artifacts

Each layer shifts detection left for earlier, cheaper remediation. Violations caught in the IDE cost seconds to fix. The same violation caught at PR Gate costs a full review cycle.

## Key Capabilities

- **900+ detection rule IDs**[^rules] across 15+ programming languages
- **24 compliance frameworks**[^frameworks] including SOC 2, HIPAA, PCI-DSS, NIST SSDF, OWASP ASVS, EU AI Act, and more
- **Tamper-evident evidence** — SHA-256 hashed artifacts for every evaluation
- **4 SCM platforms** — GitHub, GitLab, Bitbucket, Azure DevOps
- **OSCAL export** — integrate with GRC platforms (Vanta, Drata, and more)
- **SBOM generation** — CycloneDX 1.5 + SPDX 2.3

## Installation

### VS Code Extension
VS Code extension — coming soon. Marketplace listing publication tracked in [DEV-1932](https://linear.app/sentinel-build/issue/DEV-1932).

### MCP Server (for AI assistants)
```bash
npx @mergeguide/mcp-server
```

### Git Hooks
```bash
pipx install mergeguide
mergeguide hooks install
```
> `pipx` is required on PEP 668 -- managed systems (modern macOS / Ubuntu / Fedora). See [CLI Installation](docs/guides/cli-installation.md#python-pipx-installation) for OS-specific paths.

### PR Gate
Install the [MergeGuide GitHub App](https://github.com/apps/mergeguide) or configure webhooks for GitLab, Bitbucket, or Azure DevOps in the dashboard.

## Getting Started

1. Sign up at [portal.mergeguide.ai](https://portal.mergeguide.ai)
2. Connect your repositories
3. Install the enforcement layers you need
4. Run your first policy check in under 5 minutes

## Pricing

MergeGuide offers three tiers (the 3-SKU lock per `controls/registries/tiers.yaml`):

| Tier | Pricing model | Description |
|------|---------------|-------------|
| Free | $0 | Unlicensed orgs; OWASP-bundle detection rules, local CLI scanning |
| Team | Per-seat (Stripe self-serve) | Paid per-seat tier; full framework coverage, dashboard evaluations, SBOM |
| Enterprise | Custom contract (per-seat) | Top tier; OSCAL export, SCIM/SSO, dedicated CSM |

See the pricing page at [mergeguide.ai](https://mergeguide.ai) for current dollar amounts and seat-tier breakpoints.

## Links

- **Website:** [mergeguide.ai](https://mergeguide.ai)
- **Documentation:** [docs.mergeguide.ai](https://docs.mergeguide.ai)
- **Blog:** [blog.mergeguide.ai](https://blog.mergeguide.ai)
- **Portal:** [portal.mergeguide.ai](https://portal.mergeguide.ai)

## Methodology Notes

The headline numbers above are deliberately conservative ("900+", "24") and refer to specific in-repo sources of truth so they can be re-verified independently. The footnotes below define what is being counted, point at the authoritative source, and give the exact shell command to reproduce the count locally.

[^rules]: **"900+ detection rule IDs"** counts discrete `- id:` entries inside YAML files under `src/mergeguide/rules/**/*.yaml`. As of 2026-05-22 the empirical count is **1053 rule IDs across 251 YAML files**, with **5593 underlying pattern variants** (`- pattern:`, `- pattern-not:`, `- pattern-either:`, `- pattern-inside:`, `- pattern-not-inside:`, `- pattern-regex:`, `- pattern-not-regex:`). "900+" is the floor we commit to in marketing copy. **A rule ID is the unit Semgrep loads at scan time** — one finding per matched `id:`, regardless of which YAML file it lives in. The 251 YAML file count is lower than the rule-ID count because many YAML files declare several rules under a single `rules:` block. The 5593 pattern count is higher because each rule typically composes 2-8 patterns to express one detection. **Verify locally:** `find src/mergeguide/rules -name '*.yaml' | wc -l` (files), `find src/mergeguide/rules -name '*.yaml' -exec grep -hE '^\s*- id:' {} \; | wc -l` (rule IDs), `find src/mergeguide/rules -name '*.yaml' -exec grep -chE '^\s*- pattern(-not|-either|-inside|-not-inside|-regex|-not-regex)?:' {} \; | awk '{s+=$1} END{print s}'` (patterns).

[^frameworks]: **"24 compliance frameworks"** is the count of `- id:` entries in [`controls/registries/frameworks.yaml`](controls/registries/frameworks.yaml), which is the canonical framework registry generated from `mcp-server/data/control-mappings.json` and consumed by mcp-server, the dashboard, and the CLI at runtime. The registry's own header (line 9) and footer (line 140) both attest "24 frameworks." The same number is published on the live marketing site (`mergeguide.ai` og:description meta). **Verify locally:** `grep -cE '^\s*- id:' controls/registries/frameworks.yaml`.

## License

Proprietary
