No magic.Just math.
The system of record for engineering truth — cryptographically signed, deterministic audit evidence, generated automatically.
Déjà's Schema Deduction Engine attributes production failures to their upstream causal change using deterministic Abstract Syntax Tree (AST) analysis and eight weighted scoring factors (W1–W8) summing to 1.00 — without a trace ID, without an LLM, without a similarity search, without probabilistic guessing. The output is an Ed25519-signed receipt written to an immutable, append-only ledger and verifiable offline by your audit firm. Every attribution is reproducible. Every score is explainable. Every receipt is signed. Mathematical certainty, not probabilistic inference. No hallucination at audit time. Built for technical evaluators reporting to Heads of Risk, CROs, and CISOs at regulated firms operating under SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, or SR 11-7. Verifiable offline by audit firms — firms such as KPMG, Deloitte, EY, PwC, BDO, Grant Thornton, or independent.
Four phases. Fully structured metadata.
Capture signal
Observability webhook fires. Déjà ingests the raw error payload — stack trace, error type, message template, linked context.
Extract diff schema
ASTParser reads the merged PR diff. Extracts added, removed, and modified field declarations. Builds the Upstream Producer Graph node.
Stable identity
SHA-256 fingerprint computed from normalized error type + message template + stack frames. Survives refactors, line number drift, and churn.
Causal attribution
CCS_Math_Engine applies W1–W8 weights. If score ≥ 0.80, the causal PR is attributed. Signed receipt issued. Trace IDs are not used.
// SDE orchestrator — entry point for incident attribution. // Each phase emits a typed, schema-validated output. No phase is async-on-async; // the four phases compose deterministically and are fully reproducible. import { Signal, SchemaDelta, Fingerprint, Receipt } from './types/sde.types'; import { ASTParser } from './ast/ast-parser'; import { FingerprintEngine } from './fingerprint/sha256'; import { CCSMathEngine } from './ccs/math-engine'; import { ReceiptGenerator } from './receipt/generator'; export class SDEOrchestrator { async attribute(signal: Signal): Promise<Receipt | null> { // 01 · INGEST — already done; signal is the input. // 02 · AST_PARSE — extract typed schema delta from the merged PR diff. const delta: SchemaDelta = await ASTParser.parse(signal.prDiff); // 03 · FINGERPRINT — stable identity hash, survives refactors. const fp: Fingerprint = FingerprintEngine.hash({ errorType: signal.normalizedType(), messageTemplate: signal.templatize(), stackFrames: signal.canonicalFrames(), }); // 04 · CCS_MATCH — apply W1–W8 to score the candidate PR. const score = CCSMathEngine.computeCCS({ delta, fp, prMeta: signal.prMeta }); if (score.ccs < 0.80) return null; // below threshold → no attribution // Receipt issued only if every Trust Gate passes (see §06). return ReceiptGenerator.issue({ signal, delta, fp, score }); } }
Schema deltas, not source code.
SchemaDelta — the structural change introduced by the PR. The raw diff content is discarded after extraction. Only the schema delta and PR metadata pointers are persisted. Source code is never stored, and the diff is never written to disk.// Extracts schema delta from a merged PR diff. The output feeds the // Upstream Producer Graph (UPG). Diff content is processed in-memory // and discarded after extraction — never written to durable storage. import { DiffHunk, SchemaDelta, UPGNode } from '../types/sde.types'; import { parseTypeAnnotations, extractFieldDeclarations } from '../ast/utils'; export class ASTParser { /** Entry point for ingest pipeline. Called once per merged PR. */ static async parse(prDiff: string, prMeta: { prId: string; mergedAt: Date; authorId: string }): Promise<UPGNode> { // Step 1 · Split diff into typed hunks. const hunks: DiffHunk[] = await this.splitIntoHunks(prDiff); // Step 2 · For each hunk, extract field-level schema delta. const delta: SchemaDelta = { fieldsAdded: [], fieldsRemoved: [], // Removal is the primary attribution signal. fieldsModified: [], typesChanged: [], }; for (const hunk of hunks) { const declarations = extractFieldDeclarations(hunk.context); delta.fieldsModified.push(...declarations); // REQ-12 INFERRED: field name absent, infer from type annotation change. const inferredFields = parseTypeAnnotations(hunk.context, hunk.delta); delta.fieldsModified.push(...inferredFields); } // Step 3 · Build and return UPG node — stored against prId. return { prId: prMeta.prId, mergedAt: prMeta.mergedAt, authorId: prMeta.authorId, schemaDelta: delta, // queried by CCSMathEngine at error time graphEdges: await this.resolveUpstreamEdges(delta), }; } private static async resolveUpstreamEdges(delta: SchemaDelta): Promise<string[]> { /* ... omitted: walks consumer registry to find downstream services ... */ return []; } }
Eight factors. One deterministic score.
Ratio of incident-affected fields present in the PR diff. The dominant signal — highest weight in the CCS formula.
Exponential decay against PR merge time. 24-hour half-life (λ = ln(2)/24). An incident 4 hours post-merge scores higher than one 30 days later; the curve never fully reaches zero.
Saturating average of three sub-signals: distinct downstream services impacted (cap 5), distinct downstream queues impacted (cap 2), and schema files in the PR diff (cap 3). A PR with wider downstream reach scores higher.
Error taxonomy overlap between the incident signal and the candidate PR. KeyError, TypeError, and SchemaValidationError are strong indicators of a schema removal.
PR author's prior break-rate from historical mutation events. 0 prior incidents = 0.0, 1 prior = 0.5, 2+ = 0.8. Populated from VCS history.
Zone-identity match between the incident's service and the candidate PR's producer service. Same zone = 1.0, different zone = 0.0, unknown zone on either side = 0.5 (neutral — not a penalty).
BFS hop count through the Upstream Producer Graph. 0 hops = 1.0, 1 hop = 0.6, 2 hops = 0.3. Returns neutral 0.5 when no graph data is available — pre-graph receipts are not penalized. Attribution considers PRs merged within the last 30 days.
Continuous time-decay stability based on hours since the last schema mutation, saturating at 30 days. 1 hour ago ≈ 0.0; 15 days ≈ 0.5; ≥ 30 days = 1.0. No prior mutation = 1.0 (maximum stability). Returns neutral 0.5 when history is unavailable.
The score is computed, not inferred.
// CCS Math Engine — computes the Causal Confidence Score from eight independent // factors. Output is fully decomposable: every classification carries its // per-factor scores so attribution is auditable end-to-end. import { SchemaDelta, Fingerprint, PRMeta, ScoreResult } from '../types/sde.types'; const WEIGHTS = { w1_fieldOverlap: 0.30, // dominant signal: missing field ↔ removed field w2_temporal: 0.17, // exp(−λ · hoursElapsed), λ = ln(2)/24 (24h half-life) w3_blastRadius: 0.13, // saturating avg: downstream services + queues + schema files w4_errorTypeMatch: 0.13, // error taxonomy overlap w5_authorHistory: 0.08, // PR author's prior break-rate (from VCS history) w6_zoneBoundary: 0.07, // service zone alignment w7_producerDistance: 0.07, // BFS hops through Upstream Producer Graph (max 2) w8_schemaStability: 0.05, // min(1.0, hoursSinceLastMutation / 720) — 30-day saturation } as const; // Σ = 1.00. Pure function — no Date.now(), no Math.random(), no I/O. // All inputs injected by the caller. Same inputs → same score, every time. export class CCSMathEngine { static computeCCS(input: { delta: SchemaDelta; fp: Fingerprint; prMeta: PRMeta; inferredCeiling?: number; // caps inferred-extraction paths (default 0.65) }): ScoreResult { const factors = { w1: this.scoreFieldOverlap(input.fp, input.delta), w2: this.scoreTemporalProximity(input.fp, input.prMeta), w3: this.scoreBlastRadius(input.delta), w4: this.scoreErrorTypeMatch(input.fp), w5: this.scoreAuthorHistory(input.prMeta), w6: this.scoreZoneBoundary(input.fp, input.delta), w7: this.scoreProducerDistance(input.delta), // 0.5 (neutral) if no graph data w8: this.scoreSchemaStability(input.fp), // 0.5 (neutral) if no mutation data }; let ccs = factors.w1 * WEIGHTS.w1_fieldOverlap + factors.w2 * WEIGHTS.w2_temporal + factors.w3 * WEIGHTS.w3_blastRadius + factors.w4 * WEIGHTS.w4_errorTypeMatch + factors.w5 * WEIGHTS.w5_authorHistory + factors.w6 * WEIGHTS.w6_zoneBoundary + factors.w7 * WEIGHTS.w7_producerDistance + factors.w8 * WEIGHTS.w8_schemaStability; // Inferred extraction paths are capped — they cannot cross the attribution threshold. if (input.delta.fieldExtractionMethod === 'inferred') { const cap = input.inferredCeiling ?? 0.65; ccs = Math.min(ccs, cap); } // Two thresholds: attribution and high-confidence. Below 0.80 → no receipt. const classification = ccs >= 0.90 ? 'HIGH_CONFIDENCE' : ccs >= 0.80 ? 'ATTRIBUTED' : 'BELOW_THRESHOLD'; return { ccs, classification, factors, spec: 'DSR/1.0' }; } /* ... per-factor scoring methods — pure functions, fully unit-tested ... */ }
Attribution fires. Proof is issued.
ReceiptGenerator issues a signed receipt at attribution time. The Ed25519 signature covers the JCS-canonical payload (RFC 8785) computed at issuance. It cannot be altered after — including by Déjà. A receipt is generated any time the SDE attributes a causal PR — whether the pattern is new or previously seen. Attribution, not recurrence, is the trigger.// Attribution Receipt · sde_cross_service_receipts · Ed25519 signed { "receipt_id": "rcpt_8f2c91ae7b3d", "spec": "DSR/1.0", "issued_at": "2026-04-24T18:22:47Z", "vault_id": "vault_payments_core", "service_zone": "payments-checkout", "repository": "acme/payments-api", "pr_number": 4521, "causal_pr": "acme/payments-api#4521", // DB-generated "incident": { "fingerprint": "sha256:a41b...c92d", "error_class": "KeyError", "missing_field": "customer.tax_id", "signal_source": "sentry" }, "attribution": { "matched": true, "ccs_score": 0.94, "confidence": "HIGH_CONFIDENCE", "trace_id_used": false, // DB CHECK: always false "producer_graph_score": 0.60, "schema_stability_score": 0.40, "factors": { "w1_fieldOverlap": 0.98, "w2_temporal": 0.91, "w3_blastRadius": 0.89, "w4_errorTypeMatch": 1.0 /* ... w5–w8 omitted for brevity ... */ } }, "compliance": { "soc2_ready": true, // DB CHECK: receipt is format-compliant "iso27001_ready": true // flag, not org certification status }, "signature": { "algo": "ed25519-v1", "value": "7fBxK2mP4nQ8vR3eL6jF1wCytY0hG9dN8kM2pX4bV7zA3rE6qJ1iU5oH0fT8cS9aB3rKwNpDqME1u+Cz4XvQRs==", "fields_signed": ["ccs_score", "confidence", "error_class", "issued_at", "matched", "missing_field", "pr_number", "producer_graph_score", "repository", "schema_stability_score", "service_zone"], "canonicalization": "unicode-codepoint-sorted JSON", "sealed_at": "generation_time" // frozen pre-insert } }
DSR/1.0 defines 10 receipt types across three families: core (R1 Attribution, R2 Resolution), exception (R0 Signal, R1-L Low Confidence, R1-N No Match, R2-F Fix Failure, R2-R Recurrence), and lifecycle (RG Governance, RV Vault Verification, RE Engagement). All carry Ed25519 signatures and a sorted fields_signed array. See /receipt-types for the full taxonomy.
The composite confidence score. Fully decomposable via the factors object — every receipt carries its per-factor W1–W8 breakdown for audit.
Permanently false — enforced by a database CHECK constraint. Trace IDs are not used in attribution. CCS is computed entirely from schema deltas, fingerprints, and graph traversal.
soc2_ready and iso27001_ready are per-receipt format flags — they indicate the receipt is structurally compliant with the relevant evidentiary standard. They are not a statement of organizational certification status. See Security for current certification posture.
Canonical list of 11–13 fields covered by the Ed25519 signature (11 standard; 13 when BYOK signing-key fields are present), sorted by Unicode code-point. The canonical form is JS-engine-independent. Modifying any signed field invalidates the signature — including changes by Déjà operators.
generation_time. The canonical payload is Object.freeze()'d before signing and DB insert. The signature is never re-signed. Auditors verify offline using dsr-verifier-cli.
Signed evidence. Not a grade.
Did the files that changed match the files affected by the incident?
Did error rates return to baseline?
Did CPU, memory, and latency normalize?
Were feature flags stable during recovery?
Did the resolution hold long enough to count?
// Resolution gate evaluation. All five gates run; all five scores are recorded. // allPassed = true when every gate score ≥ threshold. The Resolution Receipt // is issued regardless of allPassed — it captures what was evaluated, signed. import { FileGate, RateGate, InfraGate, FeatureGate, DurationGate } from './gates'; import { ResolutionContext, GateEvaluation } from '../types/sde.types'; export async function evaluateGates( ctx: ResolutionContext, threshold: number, // injected per-vault from VaultPolicy ): Promise<GateEvaluation> { // All five gates evaluated. Missing signals score neutral, not failure. const scores = { file: await FileGate.score(ctx), // file-change baseline alignment rate: await RateGate.score(ctx), // error-rate post-fix recovery infra: await InfraGate.score(ctx), // CPU / memory / latency normalization feature: await FeatureGate.score(ctx), // flag-rollout stability duration: await DurationGate.score(ctx), // resolution observation window }; const allPassed = Object.values(scores).every(s => s >= threshold); // Resolution Receipt issued regardless of allPassed. // It is a signed evidence record of the resolution attempt, not a success certification. return { scores, allPassed, threshold, evaluatedAt: ctx.now }; }
A Resolution Receipt is issued whether the gates passed or failed.
The receipt records gatesPassed: true, all five scores, the DSR Fix Code, the time-to-resolution, and a cryptographic signature over all signed fields. Positive evidence that the fix held.
The receipt still records gatesPassed: false, all five scores, the DSR Fix Code, and the same cryptographic signature. A signed, timestamped record that a resolution was attempted and the criteria were not met.
“Déjà issues a signed Resolution Receipt for every resolution attempt. The receipt records the outcome — it does not manufacture one.”
Audit references that speak English.
Every Resolution Receipt — pass or fail — includes a DSR Fix Code: a human-readable, system-generated identifier embedded in the signed canonical payload. It is not a UUID. It is not a hash. It is a structured, readable reference that an auditor can cite by name in a finding, an appendix, or a control-evidence package.
The zone prefix comes directly from the vault configuration — the same service zone label used throughout the attribution pipeline. The sequence number is per-org, per-year, monotonically incrementing. Two receipts from the same org in the same year never share a code. The DSR Fix Code is part of the signed canonical payload — it cannot be altered after issuance without invalidating the signature.
Built for regulated environments.
Déjà reads transient webhook diffs and error payloads. It never clones your repository, reads historical files, or accesses runtime data. You control what is ingested. The system can be deployed to meet strict perimeter requirements — including dedicated regional infrastructure, configurable retention horizons, and customer-defined data perimeter policies.
Full security architectureCODE_ACCESS: no_repository_cloning DATA_MIN: tokens + fingerprints RETENTION: configurable PERIMETER_POLICY: customer_defined AUDIT_LOGS: enabled_by_default CROSS_TENANT: cryptographic_isolation
Zero-click compliance. Background webhook interception.
pull_request.merged event triggers AST analysis against the pre-computed Upstream Producer Graph. When a production error signal arrives, the engine extracts the Schema Error Tuple, queries the UPG, computes the Causal Confidence Score (CCS) from W1–W8, and silently outputs an Ed25519-signed receipt to the immutable, append-only ledger. No engineer action required. No pipeline blocker. No manual screenshotting of Jira tickets at 11pm before the SOC 2 audit.- Zero-click compliance — receipts auto-generate; no engineer tickets
- Background webhook interception on
pull_request.merged - No manual screenshotting of Jira tickets or Slack threads
- No audit-prep sprints — evidence is ready before the auditor calendar invite goes out
- Connects via background webhook interception — no pipeline changes required
- Live Verifier via
dsr-verifier-cli— Apache-2.0, open source - Independent Ed25519 signature verification, offline, no network call to Déjà
- No Déjà account required to verify a receipt
- No source code access required — auditors verify attribution, not the codebase
- Built on the open DSR/1.0 standard — your firm owns the verification logic
Based on Déjà's conversations with regulated-firm engineering teams, audit prep can consume multiple FTE-weeks per cycle reconstructing evidence by hand — searching Slack for incident context, screenshotting Jira tickets, copying deployment logs into spreadsheets, manually annotating bundles before the auditor arrives. The cost compounds across SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, and SR 11-7 cycles. Déjà's deterministic engine eliminates the category. No probabilistic guessing. No hallucination at audit time. Mathematical certainty by construction.
Receipts are independently verifiable. No implicit trust required between Déjà, the customer, or the audit firm. The signature is the contract; the verifier is the proof. The append-only ledger is the chain. Trust nobody — verify everything.
Ready to deploy the engine?
Provision your Vault, connect a repository, and let the evidence accumulate. Every incident from your first connected service produces a signed, tamper-evident attribution receipt — verifiable offline with the open verifier CLI.