# Busleyden Guard install guide

Use the free path for public GitHub repositories, or Guard Pro at $19.90/month for unlimited selected private repositories under one GitHub account.

No sales call is required for either plan.

## What gets installed

- One GitHub Actions workflow: `.github/workflows/change-consequence-certificate.yml`
- One Guard evidence report: `change-consequence.json`
- One reviewer-facing evidence summary: `change-consequence.md`
- One Guard decision report: `change-merge-passport.json`
- One reviewer-facing decision summary: `change-merge-passport.md`
- Optional PR comments when the workflow has permission to comment.
- Optional Semgrep and OSV scanner evidence

## Self-service install

You can first paste any public GitHub pull request into the homepage preview. The preview requires no installation, but it does not execute tests or replace the installed check.

1. Enter the GitHub repository URL on `https://www.busleyden.com`.
2. For a public repository, choose the free install. For private repositories, start the monthly Guard Pro subscription.
3. Install the GitHub App only on the selected repository.
4. Let Guard create a setup pull request, inspect it, and merge it.
5. Open a normal pull request that changes real application code.
6. Confirm the workflow posts its Check and uploads the Guard reports.

Restricted organizations can inspect `install-workflow.yml` and install it manually at `.github/workflows/change-consequence-certificate.yml`.

## Required repository permissions

The workflow uses:

- `contents: read` to inspect the repository checkout.
- `pull-requests: write` to post a PR comment when comments are enabled.
- `issues: write` because GitHub PR comments use the issues comment API.

Delete or disable the `Comment on pull request` step if the team wants artifact-only mode.

## Scanner behavior

The sample workflow installs Semgrep and OSV Scanner. If a scanner is unavailable or times out, the Guard Check should still run and record the missing evidence as an explicit unknown. Missing scanner evidence is not hidden.

## Decision report

The evidence report records what Guard observed. The decision report turns that
evidence into a merge status such as `block_merge`,
`requires_explicit_exception`, `review_with_known_unknowns`, `standard_review`,
or `auto_merge_candidate`, plus failed policy rules, required human actions,
rollback requirements, and post-merge observation evidence.

## Success criteria

Guard is worth keeping when real PRs produce faster or safer review decisions, such as:

- a missing test found before merge;
- an owner routed earlier than the normal review path;
- a security finding or model-loading risk surfaced in the reviewer summary;
- reduced back-and-forth because the Guard Check made the affected surface clear.

## Uninstall

Remove `.github/workflows/change-consequence-certificate.yml`, uninstall the GitHub App, delete generated artifacts if desired, and cancel Guard Pro in Stripe if subscribed.

## Claim boundary

This guide describes the live setup paths. It does not prove that a customer has installed Guard, subscribed to Guard Pro, or accepted the security review.
