Pilot docs

Compliance contract

The three rules that govern every logomesh artifact, mapped to SOC2 CC7.3, CC7.4, and PCI DSS 12.10.5.

These five clauses make up the logomesh compliance contract. They are the same three rules that govern the orchestrator’s evidence path, plus the standards mapping and the audit trail that follows from them. If any clause stops being true for an artifact, the artifact is not shipped.

Sealed evidence path

The bytes inside every shipped artifact came from the deterministic synthesizer and the sandbox only. No LLM token touches the call expression, the test code, or the sandbox output stored in the artifact. The artifact carries a stamp evidence_path_seal.llm_in_evidence_path: false that an auditor can verify by hashing the inputs and comparing.

Auxiliary tools — hypothesis suggesters, context probes, web search — are explicitly tagged advisory and excluded from the seal. They live in environment_prep or other sibling blocks marked in_evidence_path: false.

Verified exception match

“Reproduced” means the sandbox raised the same exception type the Sentry event captured. A pytest exit code of failed > 0 alone is not enough — a NameError from a busted import counts as failed too. The artifact only records verified_exception_match: true when the sandbox exception type matches the type recorded by the error monitor.

No silent ship on mismatch

If the verification gate fails, the run emits needs_human_review: truewith the reason — never a green “shipped” verdict on a wrong artifact. Mismatches surface with a structured review_reason so a human can decide whether the divergence is meaningful.

Control mappings: SOC2 CC7.3 / CC7.4 · PCI DSS 12.10.5

Every artifact embeds post-incident response controls — not pre-release code-review controls. The CLI emits:

"controls": [
  "SOC2-CC7.3",
  "SOC2-CC7.4",
  "PCI-DSS-4.0-12.10.5"
]

Human-readable docs and dashboards may show the same three as:

"control_mappings": [
  "SOC2 CC7.3",
  "SOC2 CC7.4",
  "PCI DSS 12.10.5"
]
  • SOC2 CC7.3 — evaluate security events to determine whether they could or have resulted in a failure to meet objectives. The deterministic repro is machine-witnessed evaluation of the production incident.
  • SOC2 CC7.4 — respond to identified security incidents. The sealed test, optional draft PR, and audit trail document the response.
  • PCI DSS 12.10.5 — incident response procedures are in place and followed. The sealed envelope is the procedural artifact tying the alert to a verifiable reproduction.

Do not use PCI DSS 6.3.2 or SOC2 CC8.1 for this product. Those govern pre-release secure code review and change management — i.e. controls applied before a change ships. logomesh fires after a production crash is captured; the correct mapping is incident response (CC7.3 / CC7.4 / 12.10.5).

Audit trail and attestation

Each logomesh repro … --artifact run writes a timestamped JSON envelope to disk. Reviewers can hash the test bytes, verify llm_in_evidence_path: false, and walk the control mapping without trusting marketing copy.

← Back to logomesh.dev