01
1. Provision the API key
- Open /settings/api-keys, click Create key. Name it after the repo (e.g. acme-chat-api).
- Copy the didk_ prefix exactly once — the raw value is never shown again.
- In the repo, Settings → Secrets → Actions → New repository secret. Name: DOESITDEFEND_API_KEY. Value: paste the didk_ key.
02
2. Drop the manifest + workflow
- Add .doesitdefend.yml at the repo root: declare target.endpoint (your chat URL), template (openai_chat / anthropic_messages / simple_json), and watch the prompt files the gate should trigger on.
- Add .github/workflows/llm-gate.yml with the doesitdefend/scan@v1 step. Mark `permissions: pull-requests: write checks: write` so the Action can post the comment + check run.
- Open a PR that touches a watched file. The check run + comment land within ~2 minutes.
03
3. Match the profile to your pipeline stage
- Quick (5–15 min): run on every PR. Diff-aware probe selection means only categories that changed run — median CI impact is ~3 min on a typical system_prompt change. The gate only fails when posture REGRESSES from the last run — first PR records a baseline, subsequent ones compare against it.
- Standard (15–30 min): run as a nightly job on main. Wider probe surface catches regressions that accumulate across multiple PRs without blocking developers. Set as required=false on the branch protection rule.
- Deep (30–60+ min): run weekly or pre-release. Full corpus coverage, brittleness measurement, compliance-tag evidence pack. Never use as a blocking PR gate — schedule it as a standalone job.