Skip to main content
TruStacks

Product · Policy

Tribal knowledge that survives the engineer who wrote it.

Three layers of signed Rego. Each layer can only ratchet stricter than the one above it, provable at compile time. The customer is a policy author at the deepest layer. Policy becomes the right unit of trust: durable, signed, version-controlled, queryable.

Customer overlay

Your architects, SREs, compliance officers

Deepest · most authoritative

Your domain rules. Authoring at the Team tier and above. Can ratchet stricter than the layers below. Never looser.

Packs

Regulatory · Industry · Framework · CI runtime

Regulatory packs (SOC2 / HIPAA / PCI / FedRAMP / ITIL) are TruStacks-curated, paid, and signed for auditor defensibility. Industry / framework / CI runtime packs are open-source community-contributable and free at all tiers.

Constitution

TruStacks-authored, signed, immutable, free at all tiers

Foundation

The universal rules every proposal must respect. Constitution rules are non-waivable; the layers above can only add to them or tighten them.

The agent crew reads all three layers and proposes pull requests. Each layer can only ratchet stricter than the one above.

Three voices contribute to the rules.

Most policy products give you one voice and call it “flexible.” We give you three, and we make the boundaries between them load-bearing.

  1. Voice 1

    TruStacks domain experts

    Author and maintain the constitution and curated regulatory packs. Tightly controlled, signed by TruStacks, distributed as the canonical foundation. Free (constitution) or paid (regulatory packs).

  2. Voice 2

    The open-source community

    Contributes framework packs, CI runtime packs, and industry-specific overlays. Public repository, Apache 2.0 licensed, DCO sign-offs. Free at all tiers.

  3. Voice 3

    Your own domain experts

    Encouraged to author rules that codify your organization's specific context. Customer overlay layered on top of the TruStacks foundation. Cannot weaken anything TruStacks ships. Can only add to it or tighten it. The policy linter proves this at compile time.

Default experience: zero customer-authored rules required.

A new customer installs, accepts the constitution and a Specialist Pack, and gets value on day one. Customer authoring is an unlock for sophistication, not a prerequisite. Git Push. Go Home. applies even to a customer who never writes a single rule of their own.

Build vs buy

The substrate is open. The stack isn’t.

Open Policy Agent ships the engine. Rego ships the language. Neither ships the rest of the stack you’d need to deploy layered, signed, customer-extensible policy across an organization: an authoritative constitution to anchor your overlay against, a signing root your security team trusts, OCI-based bundle distribution with init-container verification, and a linter that proves your overlay only ratchets stricter than the constitution at compile time. TruStacks delivers all four turnkey, plus the agent crew that proposes work respecting them. You stay the policy author at the deepest layer; we handle the substrate.

Want to see your policy in our linter?

Request a demoVerify the supply chain