codokey /charter.mdDOCTRINE
+5 principles−0 ambiguity
Preamble
Sovereignty begins at the access boundary.

Codokey is not a product. It is a reference model — a sovereign governance layer designed to become the definitive language of AI Code Access Governance.

Codokey is not a standard yet. It is a reference model designed to become the language of AI Code Access Governance — built to be adopted, cited, and extended by those who govern AI-assisted development responsibly.

You cannot govern what you cannot define.
Codokey defines the boundary between code, keys, agents, and authority.

The Problem
The governance gap is not a failure of tools. It is a failure of definition.

In the era before AI coding agents, governance happened through human review — slow, sequential, visible. In the era of autonomous agents, code is written, modified, and prepared for deployment at machine speed.

Post-facto governance is no longer sufficient. When an agent has already read your repository, already encountered your environment variables, already prepared a pull request — the governance question has become retrospective. And retrospective governance, in systems that move at machine speed, is a non-traceable breach waiting to be discovered.

The Codokey Charter exists to establish a different principle: governance must precede autonomy, not follow it. See the operational model in the Codokey Protocol v1.0.

The Codokey Position
Governance is not the brake. It is the Express Lane.

The most common objection to AI code governance is that it slows development. This objection misunderstands what governance is for.

Codokey inverts this assumption: governance is the permission structure that lets AI agents move faster safely. An organization that has defined its secrets boundary, scoped its agent authority, established its review gates, and built its audit memory — can deploy AI agents with confidence, at speed, without constant manual oversight.

The ungoverned organization must slow down after every incident. The governed organization moves faster because the boundaries are already defined.

Codokey is the constitutional layer for AI-touched codebases: it defines the boundary between machine speed and organizational accountability.

Five Founding Principles
The doctrine that governs Codokey itself.
01
Define before you deploy
Access boundaries must be established before an AI agent is given repository scope. Governance that begins after agent execution is not governance — it is incident response.
02
Secrets are not code
Credentials, tokens, keys, and environment variables are not part of the codebase in the governance sense. They are a separate layer with separate access rules. Every agent must be evaluated against the secrets boundary independently of its code access.
03
Autonomy requires authority definition
Autonomous is not ungoverned. Every agent class — from suggestion to deployment-adjacent — must have an explicitly documented scope. Undefined authority is a security gap, not a feature.
04
Governance debt compounds
Every AI-assisted code change made without defined access boundaries creates governance debt. The longer agentic development scales without a code-access model, the harder it becomes to reconstruct who changed what, what was exposed, and which authority path moved code toward production.
05
Vendor-agnostic by design
Codokey applies to GitHub Copilot today, and to any agent that will exist tomorrow. The protocol follows the logic of risk management, not the roadmap of any single vendor. Tools change. Access boundaries do not.
Next Reference
From doctrine to protocol.

The Charter establishes why governance must precede autonomy. The Codokey Protocol v1.0 defines how — across six layers from code origin to audit memory. Use the Governance Scorecard to assess your current posture against the reference model.

Strategic inquiries: strategic-inquiries