Engineering disclosure
The engineering backbone is public.
Inspect it yourself.
CrawlQ Studio is built on GraQle — Quantamix’s open-core knowledge-graph and AI-governance substrate. The same graph pruning, governance gates, and audit machinery that run CrawlQ’s brand intelligence are published as an Apache-2.0 SDK anyone can read, test, and benchmark. This page is the full disclosure — every number on it links to a public artifact.
The verifiable set
Numbers you can check, not numbers you have to trust.
Counted from the public repository and the public PyPI listing (July 2026). If a figure isn't independently checkable, it isn't on this page.
150k+
Lines of open engineering
522 Python files, 60+ subpackages in the public repo
440
Public test files
~7,700 test functions, run in public CI
3.10–3.12
Public CI matrix
pytest on three Python versions, on every pull request
140+
PyPI releases
Shipped continuously since March 2026 · Apache-2.0 open-core
Verify all four in minutes: clone the repo and count, or check the release history on PyPI. GraQle is also developed through its own governance: its PR gates, IP gates, and sentinel reviews run publicly on every commit — 14 public CI workflows on the repo itself.
MultiGov-30
We publish the benchmark harness, not a headline number.
MultiGov-30 is a reproducible, three-tier multi-regulation governance benchmark that ships inside the public SDK — 30 questions spanning EU AI Act, GDPR, and cross-regulation reasoning, scored on F1 and governance accuracy.
The harness lives at graqle/benchmarks/ and installs with the wheel — pip install graqle, run it, and read your own results. We deliberately quote no headline accuracy figure here: until a results artifact is committed to the public repo, the reproducible apparatus is the claim. Measure instead of trusting.
Token economics — the 88%
One measured number, two modeled ones. We label which is which.
The public case study behind CrawlQ's token-economics story publishes its full methodology, every assumption, and a reproduce-it-yourself formula.
Measured: the team that built GraQle measured 88% fewer tokens on knowledge-graph-anchored reasoning queries (graq_reason vs. cold flat-file Claude Code, same questions, software-development workload). That is the only figure in the study we call measured.
Modeled:the per-day activity-mix figure (3.00M → 0.35M tokens/dev/day) is a calibrated reconstruction, and the headline annual figure ($42,240 → $5,174 per 4-dev team) is a Year-2 forward projection that assumes a 90% local-model migration. Both are labelled as such in the study itself.
CrawlQ applies the same knowledge-graph pruning to brand context; our own ~87–90% brand-memory saving is a transparent calculation with every assumption stated — see the BYOK token-economics breakdown.
Read the full public case study — methodology, sources, and the reproduction formula →
EU AI Act engineering
Regulatory alignment as code paths, not PDFs.
Six engineering mechanisms in the public substrate, each inspectable at the file level. (Not legal advice — these are engineering controls, not a compliance determination.)
EUR-Lex drift guard — CI reads the regulation weekly
A scheduled public CI workflow re-hashes (SHA-256) every EUR-Lex URL cited in the docs, every week. If the regulator changes a page we cite, a GitHub Issue opens automatically. The regulation text itself is under change detection.
.github/workflows/eur-lex-weekly.yml
Rekor audit anchoring — verifiable even if the vendor disappears
Every governed decision gets a cryptographic receipt: RFC 8785 canonical JSON, RFC 6962 Merkle tree, ed25519 signature, anchored to the public Sigstore Rekor transparency log. An auditor can verify records independently, without access to our infrastructure — and the records remain verifiable via the public log even if the vendor disappears.
graqle/governance/runtime
EU-AI-Act mode is a cryptographic latch
Compliance mode is an ed25519-signed, hash-chained, irreversible switch. Once enabled it cannot be silently disabled — a tamper attempt fails closed.
.graqle/eu_ai_act_latch.jsonl
Non-claims discipline enforced in code
A release-blocking invariant test scans every governance record and refuses to ship if a 'compliant' or 'certified' field appears. The vocabulary discipline is code, not policy.
tests/test_compliance/test_robustness.py
13 public EU AI Act article-mapping docs
Article-by-article mapping — Articles 4, 12, 13, 14, 15, 25, 43 and 50, plus a baseline schema, claim-limits taxonomy, and out-of-scope statement — written to be quoted in a deployer's own compliance file.
Human oversight by construction
In EU-AI-Act mode, low-confidence writes are refused below a 0.65 confidence floor, with an audited human-override path. Human-in-the-loop is an enforced code path, not a checkbox.
README — Article 14 mapping
Supply-chain posture
Every release verifiable, end to end.
The release pipeline is built so you never have to take a wheel on faith.
- PyPI Trusted Publishing (OIDC) — no long-lived tokens in the release path
- Sigstore-signed wheels — verify any release yourself with `graq trustctl verify`
- CycloneDX SBOM attached to every release
- pip-audit gate blocks releases with CRITICAL/HIGH CVEs
- Reproducible builds (SOURCE_DATE_EPOCH-pinned)
Three European patent applications are pending on the underlying methods (EP26162901.8, EP26166054.2, EP26167849.4 — patent-pending, filed March 2026) — see the full patent portfolio. The research foundation is published and citable: Zenodo DOI 10.5281/zenodo.18929634 · SSRN 6359818. The substrate also has its own page →
What we don't claim
The honest remainder.
A disclosure page that only discloses strengths isn't a disclosure page. Here is what the public record does not (yet) support.
- Open-core, not fully open: the Apache-2.0 SDK is public; proprietary Studio/Enterprise components are not in the distribution, and reserved patent rights are not granted.
- Young repository: public since March 2026. Read the engineering discipline and release velocity (140+ releases in months), not community size — we make no adoption claims.
- The MultiGov-30 harness is public and reproducible, but no headline accuracy result is committed to the repo yet — so we don't quote one. Run the harness; trust your own output.
- Public CI currently skips ~26 test files — documented inside the workflow itself as tracked tech debt, not hidden.
- No third-party or peer-reviewed validation of the benchmark results yet. What we publish is the apparatus, so anyone can produce their own.
Due-diligence shortcut for your engineering or DPO review
Clone the repo, run the tests, run the benchmark harness, verify a signed wheel. Then send us the questions the code didn’t answer.