Skip to main content

FAQ

Frequently asked questions from teams evaluating and running azuma nori. Each answer links to the full documentation for the topic — this page is a fast-answer layer on top of it, not a replacement.

Getting Started & Accounts

Do I need a paid license to try nori?

No — the Free plan lets you sign in with any azuma account and run three essential, code-analyzable BSI TR-03161 controls (hard-coded secrets, strong password policies, and secure generation of session/user identifiers) at no cost. The remaining controls stay visible but locked until you upgrade. See Glossary.

Do I need an existing azuma doa account first?

No — you can create one, together with your own workspace, directly from the desktop app's sign-in screen. See Prerequisites and Installation.

Where do my results actually live — locally or in the cloud?

Locally, in the Standalone Client on your workstation, where the full detail (per-control findings, evidence, deep-dives, exports) is available. The cloud backend only holds a synchronized high-level record — it's a control plane, not a data plane. See Platform & Backend.

Data Sovereignty & Telemetry

Does my source code ever leave my machine?

No. nori is built on a zero-code-upload principle: a cloud LLM you configure sees code snippets only under your own account and API key (never through azuma), and a local or on-premise model keeps everything entirely within your own infrastructure. See Architecture & Security Model.

What exactly does the azuma backend receive?

Only high-level telemetry: run ID, execution metrics (duration, tokens), per-control pass/fail status, and the overall score. It never receives your source code, secrets or credentials, raw evidence files, or the detailed text of any finding. See Telemetry & Privacy.

What's the difference between the "backend" and the "client" in nori's architecture?

The backend is a control plane: it serves policy definitions, handles licensing and identity (via azuma doa), and receives synchronized run telemetry. The Standalone Client is the data plane: it's where analysis actually executes and where your findings and reports live. See Platform & Backend.

Choosing a Project Mode

What's the difference between Discovery & Analysis and Analysis-Only?

Discovery & Analysis (the default) first indexes your codebase into a local Wiki, then evaluates the policy against that curated context — best for larger or unfamiliar codebases. Analysis-Only skips indexing and evaluates your code directly — a leaner, faster workflow for smaller repositories and quick re-checks. See Run an Analysis.

Can I switch a project's mode later?

No — the mode is chosen at project creation and fixed for the life of the project. See Create a Project.

Does Analysis-Only still support attached evidence documents?

Yes. The source-code Wiki tab is hidden in this mode, but the separate "Wiki (Files)" document index built from your attached evidence is still indexed and used. See Analysis-Only.

AI Models & Cost Control

Which LLM providers can I use?

Direct Cloud API: OpenAI, Azure OpenAI, Claude, or Gemini (via Google's native SDK). Local CLI wrappers: Claude CLI, Gemini CLI, Cursor CLI, or the OpenAI Codex CLI, run as local processes. Or point nori at a fully private/on-premise endpoint. See LLM Models & Usage.

Can I use a cheaper model for indexing and a stronger one for the actual compliance evaluation?

Yes — Per-Phase Model Assignment lets you set different default models for Wiki Generation, Document Indexing, and Control Analysis, so you can reserve your strongest (and most expensive) model for the reasoning-heavy evaluation step. See LLM Models & Usage.

How do I keep run costs predictable?

Set a hard per-run budget cap (MaxBudgetUsd), enable Concise Wikis and Context Compression (up to ~60% token reduction on prose-heavy content), and rely on nori's exact per-run token and cost tracking to monitor spend. See LLM Models & Usage.

Compliance Policies & Evidence

Which compliance policies are actually usable today, and which are still coming?

Available: BSI TR-03161 (Parts 1–3), BSI TR-02102-1, and BSI TR-02102-2. Beta: the EU Cyber Resilience Act. Preview (not yet selectable when creating a project): OWASP ASVS and the EU AI Act. Planned (not yet available): BSI TR-03107. See Glossary for what each maturity label means, and the individual Compliance Policies pages for scope details.

Can one project check multiple standards, or multiple parts of one standard, at once?

No — each project targets exactly one policy. For example, BSI TR-03161 Part 1 (Mobile Applications) and Part 2 (Web Applications) are set up as separate projects. See Create a Project.

How does nori handle requirements that can't be verified from source code, like an HSM certificate?

Through External Evidence: attach PDFs, certificates, or architecture diagrams as either Global evidence (applies to the whole project) or Per-Control evidence (pinned to one requirement). nori indexes these into structured summaries and injects them into the relevant control's evaluation context. See External Evidence and External Evidence & Proof.

Automation, Exports & Reporting

Can I run nori in CI/CD today?

The core engine is already headless-capable: structured JSON logs via --output-format json, full environment-variable configuration (including AZUMA_API_KEY), and standard exit codes (0 success, 1 failure) that build servers can act on. Official GitHub Actions, GitLab CI, and Azure DevOps integrations are on the roadmap but not yet shipped. See CI/CD Automation.

How do I authenticate a headless/CI run?

Generate a long-lived API key from your azuma doa account dashboard under Developer Settings, and inject it into the runtime via the AZUMA_API_KEY environment variable — never commit it to your repository; use your CI/CD provider's secret manager. See Authentication.

What export formats are available, and who are they for?

Executive Briefing (Markdown/PDF) distills findings into policy insights and a remediation roadmap for leadership. General Export (PDF/HTML) is the full auditor deep-dive: complete control matrix plus line-level file:line evidence and sub-agent rationale. Regulatory Compliance Dossier is a deterministic, zero-LLM-cost, per-control report covering every control in the standard, with local file paths automatically stripped for external auditors. See Reporting & Exports.