For people who came to verify the claim

The proof.

A check that can't go red proves nothing — so every Heimdall gate can actually fail, is measured honestly, and holds Heimdall to the same bar as your code. Here is the evidence, in full.

It generalizes It proves itself Watch a gate go red
Measured, not asserted

It generalizes.

Every AI coding tool claims it works. Heimdall measured whether its core actually generalizes — and published the number. The reuse engine was pointed at 8 open-source repos it had never seen, across JS, TS, and Python, on tasks where a competent developer would reuse existing code rather than reinvent it.

The pass thresholds were frozen before the run, so the verdict couldn't be tuned to look good — a low number would have shipped as a finding. The run even surfaced and fixed its own measurement bugs (missing toolchains, a buggy assertion) before reporting, rather than quietly passing. The honesty is the brand. It came back GENERALIZES.

Rubric frozen before results · reported as measured
heimdall bench reuse · cold repos
$ heimdall bench reuse --cold --frozen-rubric heimdall · reuse generalization · repos not in corpus languages: js · ts · python rubric: frozen before run · thresholds locked repos evaluated ······· 8 / 8 median reuse ······· 0.50 working output ······· 8 / 10 note: 2 measurement bugs found & fixed pre-report (missing toolchains · 1 buggy assertion) verdict: GENERALIZES — on a rubric committed before results # pre-committed thresholds · reported as measured, not tuned
Credibility · the one door that can't be bypassed

It proves itself.

A verification tool that can't hold itself to its own bar is decoration. Agents commit with --no-verify and pre-commit hooks never fire — so Heimdall's real net is a native git pre-push hook that scans the full history, independent of how any commit was authored. The gate that scans your history scans Heimdall's first.

During development, a --no-verify commit tried to slip a live-format key into Heimdall's own repo. The self-scan blocked the push. That's the difference between a gate and a logo — secrets and foreign identities are blocked at the git layer, on every push, agent or human.

bin/heimdall-selfscan + hooks/git/pre-push
heimdall-selfscan · pre-push
$ git push origin main --no-verify heimdall-selfscan · full history · 356 commits secret-scan BLOCKED high-entropy match · AWS-format key commit a3f9c21 · src/providers/anthropic.ts:12 + const KEY = "sk-ant-api03-xT9…redacted" push rejected — the watchman scans its own history first # synthetic key, caught in development. no real exposure.

Bypass-proof at the git layer.

The hook runs at pre-push, scanning the full history — not the staged diff. So it doesn't matter how a commit was authored, who set core.hooksPath, or whether someone passed --no-verify at commit time. There is one door, and every push goes through it.

This is the same point as the self-scan above, stated once: a push is proven only when every gate passes — and the gate that proves it can't be the one that decides to skip itself.

PRE-PUSH · FULL HISTORY
Motion · the watchman reacts

Watch a gate go red.

hmd demo · staged failureSCANNING
▸ secret-scan · scanning full history…

A staged failure you watch deny, fix, and pass on the first run — the same loop Heimdall runs on every real push.

Convinced?

One line installs it. Pinned, local, MIT.

The current release ships everything above. Read the source first if you like — what you read is what runs.

Get Heimdall