ARC runs from GitHub Actions inside the customer repository.
Local-only trust model
Security review should not depend on uploading private source or trusting another AI summary.
ARC is designed for security-first teams reviewing AI-generated PRs: run the workflow where the code already lives, bind evidence to the exact commit, and use deterministic receipts before a human approves the diff.
Source code does not need to be uploaded to ARC for the first Trust Brief.
The useful output is a Trust Brief plus hashed command receipts.
Receipts bind to repository, contract, base commit, head commit, command, and log hash.
Start with one PR and keep source in your repo.
Public PR if possible. Local-only setup if private. Deterministic evidence before broader rollout.
Request local-only setup