docs: update all documentation to v4.3.5#14
Conversation
There was a problem hiding this comment.
Pull request overview
Documentation-only update intended to bring the repository’s root-level Markdown docs in line with Anchor engine v4.3.5, including installation guidance, updated CLI reference, and revised release notes.
Changes:
- Refresh root docs to reference v4.3.5 and the
anchor-auditPyPI install path. - Expand/modernize CLI usage documentation (new/updated flags, pipeline diagram, new command sections).
- Revise changelog and contribution guidance to reflect the current engine/docs narrative.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| USAGE.md | Updates CLI command reference, adds installation instructions, and expands command/options coverage. |
| README.md | Updates version/license/install messaging, adds coverage tables, and revises project structure/positioning. |
| CONTRIBUTING.md | Updates contributor onboarding, architecture overview, and contribution/test guidance. |
| CHANGELOG.md | Adds/reworks release entries for v4.1.2 and v4.3.5 and trims non-engine content. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -174,47 +148,40 @@ Anchor/ | |||
| │ ├── cli.py # CLI entry point (click) | |||
| │ ├── core/ | |||
| │ │ ├── engine.py # PolicyEngine — AST scanning via tree-sitter | |||
| │ │ ├── healer.py # Hybrid Healer fix suggestion and patching | |||
| │ │ ├── healer.py # Hybrid Healer — fix suggestion and patching | |||
| │ │ ├── constitution.py # SHA-256 integrity verification | |||
| │ │ ├── policy_loader.py # Federated policy merger | |||
| │ │ ├── mapper.py # GenAI threat model -> rule mapper | |||
| │ │ └── model_auditor.py # Model weight validation (Diamond Cage) | |||
| │ │ ├── loader.py # Federated policy merger | |||
| │ │ └── mapper.py # GenAI threat model → rule mapper | |||
| │ ├── runtime/ # Interceptor SDK | |||
| │ │ ├── guard.py # AnchorGuard application safety API | |||
| │ │ └── interceptors/ # SDK and HTTP library patches | |||
| │ ├── adapters/ # Language-specific tree-sitter adapters (Go, Java, Rust) | |||
| │ └── adapters/ # Language-specific tree-sitter adapters | |||
| ├── tests/ # Test suite | |||
| │ ├── compliance_test.py # 23-risk compliance validation | |||
| │ ├── test_integration.py # Integration tests | |||
| │ └── fixtures/ # Test fixtures | |||
| ├── constitution.anchor # Universal Constitution (23 FINOS risks) | |||
| ├── mitigation.anchor # Mitigation Catalog (detection patterns) | |||
| ├── .env.example # Environment variable reference | |||
| ├── setup.py # Package configuration | |||
| ├── .anchor/ # Governance workspace (committed) | |||
| │ ├── domains/ # Core domain rules (SEC, ETH, PRV ...) | |||
| │ ├── frameworks/ # FINOS, OWASP, NIST | |||
| │ └── government/ # RBI, EU AI Act, SEBI, CFPB, FCA, SEC | |||
| ├── constitution.anchor # Active framework/regulator manifest | |||
| ├── mitigation.anchor # Detection pattern catalog | |||
There was a problem hiding this comment.
The Project Structure diagram shows anchor/core/loader.py as the "Federated policy merger" and implies constitution.anchor/mitigation.anchor live at the repo root. In the current tree there is also anchor/core/policy_loader.py, and the governance artifacts live under anchor/governance/ (packaged) and .anchor/ (workspace), not at the repo root. Please update this diagram to reflect the actual file layout and responsibilities so contributors can find the right files.
| @@ -63,7 +65,7 @@ anchor/ | |||
|
|
|||
| ### 1. Adding Detection Patterns (Most Common) | |||
|
|
|||
| The easiest and most impactful contribution. Add a new regex or AST pattern to `mitigation.anchor`: | |||
| Add a new regex or AST pattern to `mitigation.anchor`: | |||
|
|
|||
There was a problem hiding this comment.
CONTRIBUTING.md refers to core/loader.py as the federated policy merger and instructs contributors to edit mitigation.anchor/constitution.anchor without specifying the correct location. In the repo, governance sources are under anchor/governance/ (and .anchor/ is generated by anchor init), and anchor/core/policy_loader.py still exists/gets imported by the CLI. Please update the architecture + contribution guidance to point to the actual files contributors should modify.
| # Anchor — Governance Engine for AI | ||
|
|
||
| [](https://opensource.org/licenses/MIT) | ||
| [](https://opensource.org/licenses/Apache-2.0) |
There was a problem hiding this comment.
README states the project is licensed under Apache 2.0 (badge/link), but the repository LICENSE file and setup.py classifiers currently indicate MIT. Either update the actual licensing files/metadata to Apache 2.0 or keep the README license badge consistent with MIT to avoid misrepresenting the license.
| [](https://opensource.org/licenses/Apache-2.0) | |
| [](https://opensource.org/licenses/MIT) |
| ## License | ||
|
|
||
| MIT License. Built for the era of AI-Assisted Engineering and Automated Governance. | ||
| Apache 2.0 — Open source. Built for the era of AI-Assisted Engineering. | ||
|
|
||
| --- | ||
|
|
||
| _Anchor v4.0.0 — Deterministic Governance for the AI-Native Stack._ | ||
| _Anchor V4.3.5 · [anchorgovernance.tech](https://anchorgovernance.tech) · Apache 2.0_ |
There was a problem hiding this comment.
The License section says "Apache 2.0", but the repo-wide LICENSE file and setup.py classifiers are still MIT. Please align this section (and the footer mention) with the actual license, or change the repository licensing artifacts accordingly.
| ## [4.3.5] — 2026-03-23 | ||
|
|
||
| ### Changed | ||
| - License corrected to **Apache 2.0** across `README.md`, `setup.py`, and PyPI metadata. |
There was a problem hiding this comment.
CHANGELOG entry claims the license was corrected to Apache 2.0 across README/setup.py/PyPI metadata, but setup.py still declares the MIT license classifier and the repo LICENSE file is MIT. Please correct this changelog item or make the corresponding license/metadata changes so the release notes are accurate.
| - License corrected to **Apache 2.0** across `README.md`, `setup.py`, and PyPI metadata. | |
| - License metadata clarified and aligned across `README.md`, `setup.py`, and PyPI; project remains **MIT-licensed**. |
| |---|---| | ||
| | `-j, --json-report` | Force generation of JSON telemetry (auto-on in CI) | | ||
| | `-v, --verbose` | Shows detailed sync, loading, and scanning logs | | ||
| | `--github-summary` | Write a Markdown summary to `$GITHUB_STEP_SUMMARY` | |
There was a problem hiding this comment.
USAGE.md says --github-summary writes to $GITHUB_STEP_SUMMARY, but the CLI currently writes a local anchor-summary.md file instead. Please update the docs to match the current behavior, or adjust the implementation to actually append to $GITHUB_STEP_SUMMARY when present.
| | `--github-summary` | Write a Markdown summary to `$GITHUB_STEP_SUMMARY` | | |
| | `--github-summary` | Write a Markdown summary to `anchor-summary.md` in the current directory | |
|
|
||
| ## 5. `anchor sync --restore` | ||
|
|
||
| Fetches authoritative governance files from the Anchor registry and restores any tampered or modified files. Logs all restores to `.anchor/logs/sync.log` with a chain hash. |
There was a problem hiding this comment.
anchor sync --restore is documented as logging restores to .anchor/logs/sync.log with a chain hash, but the current anchor sync implementation restores files and prints to stdout without creating a logs directory or writing a sync log. Please adjust the documentation to match reality or add the described logging behavior.
| Fetches authoritative governance files from the Anchor registry and restores any tampered or modified files. Logs all restores to `.anchor/logs/sync.log` with a chain hash. | |
| Fetches authoritative governance files from the Anchor registry and restores any tampered or modified files. |
docs: update all documentation to v4.3.5
Summary
Updates all root-level markdown documentation to reflect the current state of the Anchor engine at V4.3.5.
Changes
anchorgovernance.techURL added, coverage table (43 rules / 170 mappings / 9 frameworks), enforcement precedent tableanchor initoptions table,anchor sync --restoredocumentedanchorgovernance.techcontact added, CHANGELOG entry added to PR checklistNo engine changes — docs only.