The model that reads a diff is replaceable; the deterministic gate around it is not. What you publish, and what does the governing, is the gate: default-deny, runnable, receipt-leaving — with the model behind a seam you can swap without touching it.
It is tempting to think the intelligence is the product — that a sharper reviewer model is what makes AI code review safe. It is the opposite. The model that reads a diff is replaced within months. The thing that governs is the gate around it: the deterministic logic that default-denies on an unparseable or contradictory verdict and leaves a receipt of what it decided.
So the gate is what you open-source and the gate is what does the governing. The model sits behind a command seam and is swapped without touching the enforcement around it. Publishing the verdict ties governance to a model version; publishing the gate gives you something that holds as the models churn underneath it. The durable artifact is the boundary, not the brain.