CodeQuill Logo CodeQuill Logo
CodeQuill Logo
Login with Github
Menu
Explore Pricing Docs About
Login with Github
CodeQuill

How it Works

Product

How it Works Trust Index

Legal

Terms of Service Privacy Policy Contact

What is CodeQuill?

CodeQuill is memory infrastructure for software. It preserves verifiable, immutable evidence of what source code existed at a given point in time, and under whose authority.

Evidence is anchored to EVM blockchains (Ethereum) and stored on IPFS/Filecoin. All evidence is independently verifiable without CodeQuill's servers.

The Evidence Pipeline

CodeQuill produces five types of verifiable evidence, each building on the previous. Together they form a complete provenance chain from source to artifact.

Claim a Repository

Register your GitHub repository on-chain, establishing your workspace as the authority over that codebase. This creates a verifiable link between your GitHub identity and your Ethereum wallet.

$ codequill claim

Publish a Snapshot

Create a deterministic cryptographic fingerprint (Merkle root) of your repository's source code at a specific git commit. The snapshot is anchored on-chain and the manifest is stored on IPFS.

$ codequill snapshot && codequill publish

Create a Release

Designate one or more snapshots as a named, versioned release. Releases have a governance lifecycle: they can be accepted, rejected, or revoked. This provides a formal decision record for your software versions.

Created via the web application

Attest Build Artifacts

Link your build artifacts (Docker images, npm packages, binaries) to the specific source release that produced them. This creates supply-chain provenance: anyone can verify that an artifact was built from a specific, evidenced source state.

$ codequill attest

Preserve Source Code

Create an encrypted, zero-custody archive of your source code tied to a published snapshot. The archive is stored on IPFS/Filecoin and can only be decrypted by workspace members using their passkey-derived encryption keys. CodeQuill never possesses the decryption keys.

$ codequill preserve

Independent Verification

All evidence produced by CodeQuill is independently verifiable. Anyone can:

  • Query the smart contracts directly on Ethereum to verify claims, snapshots, releases, and attestations
  • Retrieve manifests from IPFS using the content identifier (CID) stored on-chain
  • Recompute the Merkle root from source files to verify snapshot integrity
  • Validate Merkle proofs-of-inclusion to confirm a specific file was part of a snapshot

No trust in CodeQuill's servers is required. The evidence layer is designed to outlive the platform.