TruStacks

Product · Policy

Policy is the right unit of trust.

Three layers of signed Rego. Each layer can only ratchet stricter than the one above it — provable at compile time. The customer is a policy author at the deepest layer. Tribal knowledge becomes durable, signed, version-controlled, and queryable.

Customer overlay

Your architects, SREs, compliance officers

Deepest · most authoritative

Your domain rules. Authoring at the Team tier and above. Can ratchet stricter than the layers below — never looser.

Packs

Regulatory · Industry · Framework · CI runtime

Regulatory packs (SOC2 / HIPAA / PCI / FedRAMP / ITIL) are TruStacks-curated, paid, and signed for auditor defensibility. Industry / framework / CI runtime packs are open-source community-contributable and free at all tiers.

Constitution

TruStacks-authored, signed, immutable, free at all tiers

Foundation

The universal rules every proposal must respect. Constitution rules are non-waivable; the layers above can only add to them or tighten them.

The agent crew reads all three layers and proposes pull requests. Each layer can only ratchet stricter than the one above.

Three voices contribute to the rules.

Most policy products give you one voice and call it “flexible.” We give you three, and we make the boundaries between them load-bearing.

  1. Voice 1

    TruStacks domain experts

    Author and maintain the constitution and curated regulatory packs. Tightly controlled, signed by TruStacks, distributed as the canonical foundation. Free (constitution) or paid (regulatory packs).

  2. Voice 2

    The open-source community

    Contributes framework packs, CI runtime packs, and industry-specific overlays. Public repository, Apache 2.0 licensed, DCO sign-offs. Free at all tiers.

  3. Voice 3

    Your own domain experts

    Encouraged to author rules that codify your organization's specific context. Customer overlay layered on top of the TruStacks foundation. Cannot weaken anything TruStacks ships — only add to it or tighten it. The policy linter proves this at compile time.

Default experience: zero customer-authored rules required.

A new customer installs, accepts the constitution and a compliance pack, and gets value on day one. Customer authoring is an unlock for sophistication, not a prerequisite. Git Push. Go Home. applies even to a customer who never writes a single rule of their own.

Want to see your policy in our linter?

Talk to salesVerify the supply chain