Source citations

Every clause in every Attestly-generated document is cited back to a specific line in your repo at a specific commit. This is the feature that makes auditors trust the output.

What a citation looks like

In the dashboard you'll see citations rendered as inline pills:

"Customer chat messages are processed by OpenAI, L.L.C. src/server/chat.ts:42 for completion generation."

The pill is a clickable link to the file on GitHub at the commit SHA the scan ran against — not main. That means if a clause says "we use Stripe", the citation will always point at the version of the code where Stripe actually existed, even if Stripe was later removed.

In the public trust center

Citations are surfaced in the public trust center too — but with file paths only, never line numbers and never source snippets:

"Eligibility OCR uses Anthropic Claude Sonnet 4 — declared in src/server/eligibility/ocr.ts."

That gives auditors enough to follow up while protecting you from accidentally disclosing source code through your privacy policy.

In machine-readable form

Each finding row carries:

{
  "key": "openai",
  "label": "OpenAI",
  "sourcePath": "src/server/chat.ts",
  "sourceLine": 42,
  "metadata": { "model": "gpt-4o", "scope": "chat.completions.create" }
}

The trust center exposes this as JSON at /{slug}/aibom.json — see AIBOM export.

Why this matters under the EU AI Act

Annex IV of the EU AI Act requires a technical-documentation file that describes "the data and processes involved in the development of the AI system". A line-cited subprocessor list is the most defensible form of that documentation — and it's something Attestly produces automatically.