Skip to content
For consultancies & software houses

Win the bid with measured quality.

Most suppliers ask the buyer for trust. You attach an independent CAI floor to the contract — and a rubric neither of you owns grades the delivery. A differentiator no slide deck can match.

From €535 / mo · scales with lines scanned · pricing →

Self-serve · Start free on a repo you own · The first full report is on us.

Lawn Of War Exemplary
CAI92 / 100
4592↑ +47
Code health 89
Architecture 97
Maturity 95
Readiness 92
Security 100
Rebuild cost~€130,000
Bus factor1 of 3 devs
Lines of code13,254

The most-improved repo you have makes the case.

What you hand over

The sell-sheet — your work, independently surveyed.

What you put on the table

Four deliverables.

In the bid

A public audit

A Watchdog survey of a delivered system — every number reproducible, graded by a rubric you don't own. The card on the left is one, live.

In the contract

A measured-quality clause

A contract profile with thresholds you commit to (CAI floor, per-lens minimums, no critical CVEs, required frameworks) — verified per scan, attested as a document, with a changelog that shows the client exactly what moved since the last milestone.

During delivery

Visible trajectory

Scheduled scans turn "trust us" into a visible climb — the trajectory itself becomes your sales asset on the next bid.

At handover

Attestation (signed)

The verdict (EN/DA, PDF) proves the agreed criteria were met on the delivered commit — suppressions disclosed, nothing hidden. A CycloneDX SBOM and CWE-tagged security findings hand over with it, so the client's own toolchain can read the supply chain.

Why offer it before you're asked

The buyer can't read the code.

The problem
  • They judge delivery on demos, deadlines and trust — not on what the codebase will cost to live with
  • Every bidder claims "clean, maintainable, well-tested"; none of it is checkable
  • So the cheapest credible bid wins, and quality is a post-hoc argument
You make quality checkable
  • You set the bar in writing — code health, architecture, security, the lenses that matter
  • An independent rubric grades it — not your word, not the buyer's auditor's opinion
  • The verdict is the same every scan — reproducible, trended, defensible
  • It travels into the contract — the agreed profile becomes a binding appendix
Close the loop

Scan → fix → prove

Watchdog turns its audit into a task list your team works on — then the next scan proves the fix. Nothing an agent can fake.

Watchdog scans reproducible score + findings GitHub issue marker issue for your team Your team fixes resolve findings via API / MCP Re-scan proves fixed findings vanish number climbs, closes Repeats every scan, automatically.
The scan is the arbiter — "done" can't be faked. Remediation runs between visits, not just when billing hours on-site.
How it works — for you

Three steps.

1 · Attach a profile to the contract

Start from a Watchdog base, set the lenses and minimums you'll be held to, publish it — the rubric is frozen at that version.

2 · Scan on a schedule

The repo is analysed against the profile run after run — a baseline at the start, a verdict at delivery, the trend in between.

3 · Delivery is verified

The from→to delta shows the codebase met the agreed criteria — pass, fail, or N/A with the reason stated.

The stamp you hand over

Proof of delivery.

Attestation · Sample

Delivery verification — payments-core

Contract profile v3 · rubric frozen at signature · scan #14, commit 8c41f2e

  • CAI 82 ≥ agreed floor 80 — pass
  • Security & compliance 78 ≥ 75 — pass
  • Critical CVEs: 0 (ceiling 0) — pass
  • Suppressions disclosed: 2 — listed in appendix

Issued EN/DA as PDF · reproducible by either party under the frozen rubric.

Every scan against the contract profile yields one of these — pass, fail, or N/A with the reason stated. The delivery one is the stamp.

Three artifacts you hand over: the contract appendix (agreed criteria + measurement terms), the consequences audit (what each lens protects against), and the delta verdict (from→to comparison).

What an 80 floor is made of — every always-on lens Strong or better, no lens Critical — is set out in the methodology. Neither party can move the number — not us, not you, not the buyer.

Neutrality is the moat

The measurer has no stake.

Never a delivering party

Canine Development is never a delivering party on code it measures — so we're the only vendor that can't have a stake in the outcome.

No success fees

We're paid to measure, never to clear the deal or make the number go up. The result we have no interest in is the one you can hand over with confidence.

Identical rubric

The same versioned rubric scores you whoever pays. Pin it frozen for the duration of a contract so neither party can tilt the measurement.

Your buyer doesn't have to trust us either — they can verify it themselves

The measurement runs on the CAI — an open, reproducible standard: the algorithm, lenses and rubric are public, and the reference scorer is open source. Your buyer can take the survey behind your pitch, run the open scorer over its evidence, and get the same number. A score the other side can re-run for themselves wins the bid — it's evidence, not a self-claim. The CAI standard → cai.canine.dev · How a buyer verifies →

  • EU data residency Processed only on hardware we own in Denmark — no cloud provider in the path.
  • No third-party AI The language model is self-hosted; your code is never sent to OpenAI, Anthropic or Google.
  • Source never persisted Each scan clones, analyses, then deletes the working copy — and we never train on your code.
  • Read-only by doctrine We measure and advise; we never commit, push, or edit your code.

Read the full security & data statement →

Make quality your bid weapon.

Self-serve · first full report free · see pricing · talk to us