Everything in MergeGuide

PolicyMesh — Four-Layer Velocity Engine

Single-layer enforcement leaves gaps. AI-assisted code introduces risk faster than any single checkpoint can catch it. MergeGuide applies governance at four layers — so violations are caught at the moment they are created, not after they have been committed, reviewed, and shipped.

• IDE (Layer 1): Real-time LSP diagnostics in VS Code and Cursor as code is written. Human or AI-generated — violations surface instantly.
• MCP (Layer 2): Your AI coding assistant queries your policies before generating code. The AI already knows the rules — violations aren't suggested in the first place.
• Git Hooks (Layer 3): Pre-commit and pre-push validation. Nothing policy-violating leaves the developer's machine.
• PR Gate (Layer 4): Server-side enforcement blocks merge on violations. The authoritative last line of defense — generates immutable evidence artifacts.

Multi-Framework Deconfliction

Financial services organizations running SOX, PCI-DSS, NY DFS 23 NYCRR 500, and GLBA simultaneously are assessing the same controls multiple times — each framework using different language for the same underlying requirement.

PolicyMerge's strictest-wins engine analyzes every overlapping control, selects the most stringent requirement, and proves that meeting it satisfies all lesser requirements. One security posture. Every framework. Zero redundant work.

• Strictest-wins deconfliction across all activated frameworks
• Overlap matrix with side-by-side framework requirements
• Unified compliance report with per-framework appendices
• Sankey and Venn diagrams for executive reporting
• Compliance savings calculator — quantify time saved

Dual-Layer Detection

Two independent detection engines run in parallel — structural AST-based analysis and high-precision pattern matching — across the languages your team writes in.

• Semgrep YAML rules — AST-aware, cross-file data flow, low false positives
• Regex pattern matching — secrets, PII, hardcoded credentials, and more
• Mapped to OWASP Top 10, CWE, NIST, and major compliance controls
• Configurable severity levels and file-level targeting per policy
• Inline exceptions with required justification comment — logged for audit

Continuous Evidence & OSCAL Export

Every PR Gate evaluation generates an immutable, cryptographically signed evidence artifact. Audit preparation becomes a byproduct of development — not a scramble when your auditor arrives.

• Cryptographically signed, timestamped evidence on every evaluation
• Immutable retention that exceeds every major framework's requirement
• 5 OSCAL document generators: SSP, SAP, SAR, POA&M, Component
• Machine-readable JSON/XML/YAML output for GRC tool integration
• OSCAL-native integration — export to OSCAL-compatible GRC platforms including RegScale, Drata, Vanta, and others

Compliance Framework Templates