Delegation boundaries
Which AI-assisted changes are safe to delegate is tracked by risk class.
PR Evidence Pack Showcase
Evidence packs make AI-assisted delivery reviewable.
AI-assisted delivery changes the review problem. A payment-platform PR can look complete before anyone has proved the right risks were checked. The evidence pack ties each release risk to the proof required for governed delivery review.
Value
From review confidence to release evidence.
| Pain | Without evidence pack | With evidence pack |
|---|---|---|
| Risk review | Reviewers infer risk from comments and code shape. | Risk, controls and evidence are explicit. |
| Security questions | Proof is requested late. | Required evidence is attached before approval. |
| Release ownership | Approval becomes a binary ship/no-ship call. | Decision, residual risk and rollback triggers are visible. |
| Incident review | Evidence is reconstructed after the fact. | The decision record exists at merge time. |
| Agent output | Confident summaries can hide missing controls. | Agent findings become structured review signals. |
System model
One repeatable record for review, release, audit and aggregation.
The artifact is the output. The product value comes from producing that output consistently across high-risk PRs without hand-building a release packet each time.
PR diff
Risk classifier
Required evidence
Review signals
Release decision
Audit record
Review bottlenecks
Missing-evidence categories are visible across PRs.
Control gaps
Repeatedly absent controls are aggregated, not rediscovered.
Incident readiness
Review starts from the release evidence record.
Proof status
What this showcase demonstrates.
| Claim | Status | Next validation |
|---|---|---|
| Evidence categories are useful | Demonstrated by representative pack | Run against multiple high-risk PRs |
| Release judgment can be expressed | Demonstrated by payments example | Validate against review threads and CI output |
| Packs can be generated repeatedly | Product hypothesis | Wire generator to PR metadata, CI and review comments |
| Aggregation creates governance value | Product hypothesis | Measure missing controls, exceptions and review gaps |
Change record
Webhook signature rotation for payout events.
High integrity · medium availability · staged rollout · sanitized, representative.
added:
- key_id_header_validation
- dual_key_verification_window
- timestamp_tolerance_check
- replay_nonce_store
- audit_event_for_rejected_webhooks
unchanged:
- payout_execution_logic
- ledger_write_contract
- operations_status_schema
Incoming webhook
Known key id?
Timestamp valid?
Nonce unused?
Signature valid?
Accept or reject + audit
Evidence matrix
Risk mapped to proof.
| Risk | Control | Evidence | Status |
|---|---|---|---|
| Forged webhook marks payout complete | Signature and key id verification | Negative signature tests | Controlled |
| Replay changes payout status twice | Nonce store and idempotent worker | Replay test matrix | Controlled |
| Clock skew rejects valid events | Timestamp tolerance and alert | Manual release review | Accepted |
| Logs expose sensitive payload | Redacted audit schema | Static review | Controlled |
Pack object
The release decision as structured data.
The pack is concrete enough for PR review and structured enough for later aggregation.
{
"id": "payout-webhook-signature-rotation-v1",
"risk_class": "high_integrity_medium_availability",
"validation": {
"unit": "pass",
"integration": "pass",
"contract": "pass",
"manual_release_review": "pass"
},
"release": {
"decision": "approve_staged_rollout",
"rollback_available": true
}
}