Stop burning CI minutes
on work that already ran green.

• Verify deduplication

  Surety hashes the evidence pack — gates + diff fingerprint + scanner results — before kicking CI. If the hash matches the prior commit's green run, the same workflow is skipped. Force-push and rebases stay safe; the hash is content-derived, not commit-derived.

  138 runs deferred this month
• Cross-PR scanner cache

  Most PRs touch a small slice of the repo. Gitleaks, OSV-scanner, Semgrep, and CycloneDX SBOM all share their cache keyed on the file content tree, so a second PR touching the same paths gets a cache hit instead of a re-scan.

  76% cache hit rate
• Diff-aware matrix trim

  Matrix cells whose inputs (node version, OS, framework) aren't exercised by the diff get auto-skipped. We never trim a cell silently — the skipped dimensions are listed in the Surety Pass summary so reviewers can override.

  284 matrix cells skipped
• In-IDE verify

  Pre-push, Surety runs the same gates locally that CI would run remotely — typecheck, scanners, policy. The local verify produces the same evidence pack format CI does, so a green local run is signed and accepted by the same downstream policy.

  37.4h reviewer time saved

Same gates. Less waste.

• Same gates, same evidence

  Local verify and CI verify produce byte-identical evidence packs — we don't run a weaker check locally. The pack is signed with the developer's ed25519 key + the Sigstore identity, so origin is provable.

• Cost-aware routing into the AI dock

  73% of AI turns route to Haiku/Sonnet, not Opus. The same router picks Haiku for plan-mode (structured output) and reserves Opus for high-risk Change Records where a wrong edit is expensive. Model spend last week: $118.

• Audit-grade trim decisions

  Every CI minute Surety doesn't spend is logged with the reason: 'evidence-pack hash matched commit 7a3f9c2', 'OS=windows matrix cell skipped — no .ps1 / .bat touched in diff'. Auditors can replay.