Synthetic demonstration · fictional application · not customer evidence
This illustrative artifact is not a customer case study, security certification, penetration test, or claim that a real incident was prevented.
Sample deliverable
Release evidence pack
A worked example of how one exact release state becomes a reviewable contract, critical-path record, remediation log, risk decision, and accountable handoff.
Decision summary
Application
Northstar Workspace — fictional
Release
2026.07.15-rc1 · a1b2c3d
Scope
1 repo · 1 staging · 3 roles · 3 workflows
Decision
CONDITIONAL GO
01 · Release contract
The boundary is written before the checks begin.
| Field | Contracted value |
|---|---|
| Repository | northstar/workspace — fictional |
| Release state | release/2026.07.15-rc1 at a1b2c3d — synthetic |
| Environment | Isolated staging with non-production data |
| Roles | Owner, billing admin, member |
| Workflows | Invitation and tenant switch; subscription cancellation; authorized data export |
| Evidence standard | Reproducible steps, observed browser/API/data state, CodeTruss receipt reference, remediation diff, and rerun result |
| Exclusions | Penetration testing, load testing, mobile clients, disaster recovery, production data, and compliance certification |
02 · Critical-path matrix
Results connect the assertion, change, rerun, and evidence reference.
| Workflow and assertion | Initial | Remediation | Rerun | Evidence |
|---|---|---|---|---|
| Invitation token may only join its issuing tenant | FAIL — blocker | Bound token validation to issuing tenant and intended email | PASS | EV-AUTH-01 |
| Duplicate cancellation webhooks may not create duplicate credits | FAIL — blocker | Added provider-event idempotency and a transactional guard | PASS | EV-BILL-02 |
| A revoked billing admin may not start or download a data export | PASS | None | PASS | EV-EXPORT-03 |
| Email-provider hard failure records a recoverable delivery state | NOT RUN | None | NOT RUN | RISK-04 |
03 · Remediation record
FIX-01
Invitation tenant binding
- Initial observation
- The fictional invite endpoint accepted a valid token while trusting a tenant identifier supplied by the browser.
- Bounded change
- Resolve tenant and intended email from the signed invitation record; reject caller-supplied tenant substitution.
- Rerun result
- The intended recipient joined the issuing tenant. Wrong-email and wrong-tenant attempts returned a generic rejection, and no membership row was created.
FIX-02
Cancellation webhook idempotency
- Initial observation
- Two deliveries of the same fictional provider event created two internal credit adjustments.
- Bounded change
- Record the provider event identifier inside the same transaction as entitlement and ledger updates.
- Rerun result
- The first delivery changed entitlement and ledger state once. The duplicate returned success without another state change.
04 · Open risk
RISK-04
Conditional means conditional.
Provider hard-failure injection was unavailable in the fictional pilot environment. The release owner accepts the risk only if delivery-state monitoring and manual replay remain enabled for the first 24 hours. The decision becomes NO-GO if either control is absent at release time.
Final decision: CONDITIONAL GO after FIX-01 and FIX-02 are merged at the contracted Git state, passing checks are rerun in the release environment, and RISK-04 has a named owner.
Capability boundary
Product proof and engineer-led service are stated separately.
Current CodeTruss product
Local change boundary, sensitive-surface flags, deterministic registry analyzers, configured project verification, explicit verdicts, integrity-signed Markdown and JSON receipts, and explicit-only receipt sync.
Engineer-led pilot work
Browser, API, data-store, webhook, queue, and external-side-effect checks for the contracted workflows.
Evidence-pack deliverable
A service artifact that joins those inputs into a bounded human release decision, including every material untested path.
Receipt signatures establish post-signing integrity of captured bytes. They do not prove trusted execution or the truth of every conclusion.
Reminder: every company, identifier, observation, result, and remediation on this page is fictional and synthetic.
Put your exact release behind the same evidence boundary.
The first risk screen needs your stack, target date, current testing state, and the three workflows that cannot fail. Repository access is not required.