SYSTEM DOCUMENTATION · CRYPTOGRAPHIC EVIDENCE CUSTODY · REFERENCE

The Déjà system, documented for review.

Reference document for security architects, implementation engineers, audit-firm technologists, and CISOs evaluating Déjà for production deployment at firms operating under SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, or SR 11-7. Organized for lookup, not for narrative reading. Sections marked "draft" are in active development and will be expanded as production observations and formal review processes mature. Everything else is anchored to the DSR/1.0 specification, the Schema Deduction Engine architectural proof, and the platform's security posture. Audit firms — firms such as KPMG, Deloitte, EY, PwC, BDO, Grant Thornton, or independent — verify receipts offline using dsr-verifier-cli; this page documents the system that produces them.

Authoritative·Versioned·Cross-referenced·Updated 2026-04-25

§01 / CORE CONCEPTS

The vocabulary the system operates on.

Every term in this document is defined here. Definitions are intentionally minimal — the deeper mechanics live in dedicated sections. Use this section as a lookup index.

Vault

A logical container for receipts, scoped to one customer environment. Backed by the products table at the database layer. Cryptographically isolated from other vaults via tenant-scoped signing keys. Every receipt belongs to exactly one vault. Cross-vault queries are forbidden at the storage layer.

Receipt

A signed, tamper-evident attribution event. Issued when CCS ≥ 0.80 and all trust gates pass. Conforms to the DSR/1.0 specification. The signature is sealed at issuance and cannot be re-signed — including by Déjà operators.

Receipt Class

One of R0, R1, R1-L, R1-N, R2-F, R2-R. Determines retention policy, downstream delivery rules, and which signature fields are mandatory. See Appendix A for full taxonomy.

Schema Deduction Engine (SDE)

The deterministic attribution pipeline that produces receipts from observability webhooks. Composed of four phases: ingest, AST parse, fingerprint, CCS match. See The Engine for the architectural proof.

Causal Confidence Score (CCS)

A composite score in [0, 1] computed from eight independent factors (W1–W8). Threshold for attribution: 0.80. High-confidence threshold: 0.90. The score is fully decomposable — every receipt carries the per-factor breakdown.

Upstream Producer Graph (UPG)

A directed graph of schema-producing services and their downstream consumers. Built from merged PR diffs. Each UPGNode is keyed on PR ID and stores the typed SchemaDelta extracted from that PR.

Service Zone

A logical boundary, typically aligned with a pub/sub topic or domain. Cross-zone breaks score higher on factor W6 — they are the failures most likely to evade trace IDs.

Trust Gate

One of five validation checks (File, Rate, Infra, Feature Flag, Duration) that must pass before a receipt is issued. Composition is strict AND: a single gate failure halts attribution.

Fingerprint

A SHA-256 hash of the normalized error type, message template, and canonical stack frames. Stable across refactors and line-number drift. The fingerprint is the join key between an error signal and a candidate UPG node.

Audit Ledger

An append-only event log capturing every attribution attempt, gate result, receipt issuance, and operator action. Writes only — never updates or deletes. Enabled by default, cannot be disabled.

§02 / DATA MODEL

Entities, relationships, and invariants.

Déjà persists a small number of entities. The data model is deliberately narrow — most artifacts of the attribution pipeline (raw diffs, error payloads, intermediate computation) are processed in-memory and discarded after extraction.

Entity	Purpose	Mutability
vaults	Tenant container; aliased as `products`	Update permitted on metadata only
receipts	Signed attribution events (DSR/1.0)	Immutable post-issuance
upg_nodes	Schema delta + graph edges per merged PR	Append-only
attribution_events	All attribution attempts (incl. failures)	Append-only
audit_log	System event log, gate failures, operator actions	Append-only · enforced at DB layer

Key invariants. The data model enforces several invariants below the application layer — they cannot be violated even by a privileged operator:

All tables are vault-scoped. Cross-tenant queries are forbidden at the storage layer via row-level security policies.
The audit_log table is append-only. UPDATE and DELETE permissions are revoked at the role level; the schema enforces this via triggers.
Every receipt's signature field is computed at issuance and never mutated. Modifying any signed field invalidates the signature and is detectable offline by the verifier CLI.
The upg_nodes.schema_delta field is the only persisted artifact of a PR diff. The raw diff content is discarded after extraction.

CANONICAL · IMPLEMENTATION NOTEThe products table and the conceptual Vault are the same entity. The naming reflects an early product-management framing that has since standardized on Vault for customer-facing surfaces. Internal schema continues to use products for migration safety.

§03 / NORMALIZATION ENGINE

How signal data is made refactor-stable.

The normalization engine transforms raw error signals into stable, comparable artifacts. Without normalization, a refactor that moves a function or renames a parameter would change the fingerprint of every error originating from that function — destroying the join between error signals and UPG nodes.

Normalization happens in three phases, each producing a canonical artifact:

Error type normalization

Maps platform-specific error types to a canonical taxonomy. KeyError, TypeError, SchemaValidationError, NullPointerException, and others. The taxonomy is fixed and versioned — new types require a DSR spec MINOR bump.

Message template extraction

Strips runtime variables (UUIDs, IPs, integers, free-form strings) from error messages. Variables are replaced with typed placeholders: {uuid}, {int}, {string}. The result is the message template — what the error looks like across all instances.

Stack frame canonicalization

Drops noise frames (test runner internals, framework infrastructure, dynamic dispatch wrappers). Keeps user-code frames. Frame identity is normalized to (function_name, file_path) — line numbers are intentionally excluded so the fingerprint survives source-line drift.

The fingerprint is the SHA-256 of the canonical concatenation of these three artifacts:

packages/sde/src/fingerprint/sha256.ts

FINGERPRINT

// Fingerprint computation. Stable across refactors and line-number drift.

export class FingerprintEngine {
  static hash(signal: { errorType: string; messageTemplate: string; stackFrames: string[] }): Fingerprint {
    const canonical = [
      signal.errorType,                          // canonical taxonomy
      signal.messageTemplate,                    // variables stripped
      signal.stackFrames.join(' :: '),           // (fn_name, file_path) pairs
    ].join(' || ');

    return {
      algo: 'SHA-256',
      value: sha256(canonical),                  // hex-encoded
      canonical_form_version: 'v1',             // bumped on taxonomy changes
    };
  }
}

Two errors that look textually different but reduce to the same canonical form share a fingerprint. This is the key property that makes attribution work across refactor cycles.

§04 / VALIDATION ORCHESTRATOR

Five gates. One failure halts the receipt.

Before any receipt is issued, the validation orchestrator runs five trust gates sequentially. The composition is strict AND: a single gate failure halts attribution and logs the failure reason to the audit ledger. No receipt is issued. No customer-facing alert fires.

Gate	Job	Failure semantics
File Gate	Files touched by PR are in dependency path of crashing service	Halt; log `FILE_GATE_NO_EDGE`
Rate Gate	Regression rate drops after the PR window	Halt; log `RATE_GATE_NO_DROP`
Infra Gate	Rules out infra noise and deploy artifacts	Halt; log `INFRA_GATE_NOISE_DETECTED`
Feature Flag Gate	Correlates rollout flags to incident exposure	Halt; log `FF_GATE_NO_CORRELATION`
Duration Gate	Confirms fix stability over a 72h window	Halt; log `DURATION_GATE_REOPEN`

FAIL_POLICY · SILENTFailed gates are logged, not propagated. A failed gate is an internal correctness signal, not a customer-facing alert. Operator visibility is via the governance log; the customer sees no false-positive notification.

The full gate composition logic and code path is documented in The Engine, §06 Trust Gates.

§05 / INCIDENT LIFECYCLE

From webhook fire to receipt delivery.

An incident moves through seven terminal states. Five of them produce a receipt (R0 ingestion always fires; R1-class receipts fire conditionally). One produces an audit log entry only.

State	Trigger	Output
INGESTED	Webhook received, signal parsed	R0 receipt
FINGERPRINTED	SHA-256 computed; UPG candidates identified	internal state
SCORED	CCS computed against best UPG candidate	internal state
ATTRIBUTED	CCS ≥ 0.80, all gates passed	R1 receipt
LOW_CONFIDENCE	0.60 ≤ CCS < 0.80; ambiguous attribution	R1-L receipt
BELOW_THRESHOLD	CCS < 0.60; no candidate above low-confidence floor	R1-N receipt
GATE_FAILED	One gate returned `pass: false`	audit log only

SPEC vs IMPLEMENTATION · TRANSPARENCY NOTE

The R-class receipt subtypes (R0, R1, R1-L, R1-N) are DSR/1.0 spec-defined semantic categories. The current codebase materializes them across two database receipt tables — sde_cross_service_receipts (Attribution: covers R0, R1, R1-L, R1-N) and sde_resolution_receipts (Resolution: covers R2-class subtypes) — distinguished at the data level via a classification field (HIGH_CONFIDENCE_DEDUCTION, ATTRIBUTED, BELOW_THRESHOLD) and gate-result fields rather than as separate tables. The dsr-verifier-cli projects the database representation back into the canonical DSR/1.0 receipt format, so audit firms verifying receipts offline see the spec-correct view. Future receipt subtypes (RV verification, RE export, RG governance) are spec-defined and will be introduced as separate materializations as the system matures. See Receipt Types for the full subtype taxonomy.

Timing characteristics are aspirational targets governed by service-level objectives, not hard guarantees. Production benchmarks accumulate in §08 as deployments mature. Current targets:

Webhook ingest → fingerprint: < 30 seconds (target)
Fingerprint → attribution: < 10 seconds (target)
Attribution → delivery: < 5 seconds (target)

§06 / INTEGRATION SPECIFICATIONS

Thirteen providers, three readiness tiers.

Integrations are categorized by readiness: Live (production-validated), Beta (functional, undergoing validation), and Q3–Q4 2026 (specification-complete, build pending). Authentication mode and webhook payload requirements are documented per provider in the standalone Docs page.

Provider	Category	Status	Auth
Datadog	Observability	Live	API key
Sentry	Error tracking	Live	OAuth + DSN
GitHub	VCS / PR events	Live	App install
Slack	Outbound delivery	Live	OAuth bot
PagerDuty	Incident lifecycle	Live	API key
New Relic	Observability	Beta	API key
GitLab	VCS / PR events	Beta	Project token
Jira Service Management	Ticket linking	Beta	OAuth
ServiceNow	ITSM linking	Beta	OAuth
Splunk	SIEM / logs	Q3–Q4 2026	HEC token
Dynatrace	APM	Q3–Q4 2026	API token
Honeycomb	Observability	Q3–Q4 2026	API key
AppDynamics	APM	Q3–Q4 2026	OAuth

The 13 first-party integrations cover the bulk of customer environments. Indirect coverage of an additional 700+ tools is achieved via aggregator hubs — primarily PagerDuty's event source library and Splunk On-Call's webhook intake. See the Integrations Directory for the full list.

§07 / CONFIGURATION

The deja.yaml reference. Documentation in progress

Section under active development

The configuration schema is being formalized for the v1.0 release. The current deja.yaml reference is in active development and the field set is not yet stable. This section will document the full configuration surface, defaults, and validation rules once the schema is locked.

What this section will cover

→Top-level deja.yaml schema — vault, integrations, channels, retention, and policy blocks
→Vault provisioning — region selection, signing key rotation, isolation policy
→Retention policy — per-receipt-class retention horizons and configurable overrides
→Channel routing — which receipt classes deliver to which Slack / PagerDuty / email destinations
→Webhook authentication — per-provider HMAC and shared-secret configuration
→Validation rules — schema validation errors, deprecation warnings, and migration paths

§08 / PERFORMANCE & SCALING

Latency, throughput, and scaling boundaries. Documentation in progress

Awaiting production observation

Production benchmarks are accumulating. Performance characteristics will be published after sustained customer load is observed and validated against multiple deployment topologies. Publishing aspirational targets without observed data risks misleading readers about real-world behavior.

What this section will cover

→Webhook ingestion latency — p50, p95, p99 per provider, per region
→Attribution latency — signal arrival to receipt issuance, end-to-end
→Throughput characteristics — sustained webhook rate per vault, burst tolerance
→UPG query performance — graph traversal cost as PR volume grows
→Storage growth — receipt and audit-log durable footprint per active vault
→Scaling boundaries — vault-count and receipt-rate thresholds at which deployment topology must change

§09 / SYSTEM FAILURE SEMANTICS

Failure modes and recovery. Documentation in progress

Formal model in development

Failure modes are being formally modeled as production deployments mature. This section will document each failure class, its detection mechanism, its blast radius, and its recovery semantics. Premature publication risks documenting failure modes that have not been observed under load.

What this section will cover

→Webhook ingestion failures — provider downtime, signature verification failures, replay handling
→AST parsing failures — malformed diffs, unsupported syntax, language-specific edge cases
→Trust gate failures — covered conceptually in §04; this section will cover operational diagnosis
→Storage layer failures — database unavailability, signature key rotation failures
→Cross-region replication — eventual-consistency boundaries for multi-region deployments
→Recovery procedures — operator runbook for each failure class

§10 / THREAT MODEL

Adversaries, surfaces, mitigations. Documentation in progress

In review with security partners

A formal threat model is being developed in collaboration with our security review process. This section will document threat actors, attack surfaces, and mitigations, in the format expected by SOC 2 Type II auditors and enterprise security review teams.

What this section will cover

→Tenant isolation boundary — cryptographic and database-level separation between vaults
→Webhook authentication and replay — HMAC verification, nonce handling, clock-skew tolerance
→Receipt forgery prevention — signature scheme, key rotation, fields-signed canonicalization
→Insider threat (Déjà operators) — append-only audit log, signed-fields immutability
→Supply-chain exposure — dependency review, build provenance, deployment integrity
→Compliance exposure scenarios — what an attacker would need to do to invalidate a regulator-facing receipt

§11 / SECURITY & COMPLIANCE

Posture, certifications, and architecture.

This section is a brief reference. The full security architecture lives on the Security page, including the zero-retention diagram, subprocessor table, and data-handling commitments.

Zero-retention architecture

Webhook diffs and error payloads are processed in-memory and discarded after schema delta extraction. Source code is never stored, repository contents are never cloned, and runtime data is never accessed.

Cryptographic isolation

Each vault holds a tenant-scoped signing key. Cross-vault queries are forbidden at the storage layer. A compromised vault cannot reveal data from any other vault.

DSR/1.0 receipt signing

Receipts are signed at issuance using Ed25519 over the JCS-canonical payload (RFC 8785). The fields_signed array is part of the signed payload — modifying any signed field invalidates the signature, which is detectable offline by the verifier CLI.

Audit log

All attribution attempts, gate results, receipt issuances, and operator actions are recorded in the append-only audit log. Cannot be disabled. Cannot be retroactively edited.

Certifications

SOC 2 Type II in progress (target: Q3 2026). ISO 27001 planned (2027). HIPAA evaluation underway for healthcare-tier vaults. Current posture is documented on the Security page.

Customer-defined perimeter

Customers configure data residency, retention horizons, and channel routing per vault. Déjà operators cannot override customer perimeter policy. Policy changes are recorded in the audit log.

§12 / CHANGE MANAGEMENT & VERSIONING

How the spec evolves without breaking auditors.

Déjà's spec evolution policy is conservative by design. Receipts may be verified months or years after issuance, often by auditors using a verifier CLI version different from the one that produced them. Backward compatibility is treated as a regulatory commitment, not an engineering preference.

Versioning scheme

The DSR specification follows a semver-like MAJOR.MINOR scheme. DSR/1.0 is the current version. MINOR versions are forward- and backward-compatible; new fields may be added but existing fields cannot be removed or repurposed.

Receipt schema evolution

New fields added in a MINOR version are optional by default. Receipts produced before the field existed simply omit it. Verifier CLIs from earlier versions ignore unknown fields, preserving forward compatibility.

Verifier CLI compatibility

The dsr-verifier-cli is forward-compatible: a v0.9 CLI verifies receipts produced by v0.9 or any later MINOR version. Major version changes (DSR/2.0) require explicit operator action and a CLI upgrade.

Deprecation policy

Any breaking change requires a 6-month minimum deprecation window. Deprecated features are tagged in the audit log when used. Migration guides are published at the start of the deprecation window.

Working group governance

DSR/1.0 evolution is governed by the open standards working group. Charter customers hold seats on the working group. Spec changes are public and require working-group approval before adoption.

§13 / TROUBLESHOOTING

Common issues and diagnoses. Documentation in progress

Knowledge base in development

Common issues are being catalogued as they emerge from real deployments. This section will be expanded as the support knowledge base grows. Publishing speculative troubleshooting guidance risks misdirecting operators dealing with real failures.

What this section will cover

→Webhook authentication failures — HMAC mismatches, signature verification, clock skew
→Trust gate failure diagnosis — reading the audit ledger, interpreting failure codes
→Receipt verification failures — verifier CLI return codes and remediation steps
→Integration-specific issues — provider-by-provider known issues and workarounds
→UPG node misses — diagnosing why a known PR is not appearing as an attribution candidate
→Channel delivery failures — Slack token expiry, PagerDuty rate limiting, email bounces

§14 / NON-GOALS

What Déjà deliberately does not do. Documentation in progress

Awaiting product-strategy review

Explicit non-goals are being formalized in collaboration with the product team. This section will document what Déjà deliberately does not do, with rationale, in the form expected by buyers conducting category-fit evaluation. Premature publication risks closing doors that deserve deliberate reconsideration.

What this section will cover

→Déjà is not a logging platform. It does not store, search, or retain log content.
→Déjà is not an APM. It does not collect spans, traces, or runtime metrics.
→Déjà is not an alerting tool. It produces receipts and delivers them to channels, but does not page on-call.
→Déjà does not store source code. It processes webhook diffs in-memory and discards them after schema extraction.
→Déjà does not do anomaly detection or pattern learning. The CCS is computed from named factors, not learned weights.
→Déjà is not a substitute for incident management. It augments existing tools (PagerDuty, FireHydrant, incident.io); it does not replace them.

§15 / GLOSSARY

Alphabetical reference of every term.

Attribution

The deterministic assignment of a production failure to its causal upstream PR. Output of the SDE pipeline when CCS ≥ 0.80 and all gates pass.

Audit ledger

Append-only event log of all attribution attempts, gate results, receipt issuances, and operator actions. Cannot be disabled or edited retroactively.

Auditor

A user role with read-only access to receipts and audit log entries. Auditor seats are unlimited across all paid tiers.

Causal Confidence Score (CCS)

Composite score in [0, 1] from eight weighted factors. Threshold 0.80; high-confidence 0.90.

Charter customer

One of up to 15 founding customers who holds a working group seat, founding pricing of $30K/year locked for the life of the subscription, and a 30% future-tier discount.

DSR/1.0

The Deterministic Signed Receipt specification, version 1.0. Open standard, Apache-2.0 licensed.

Fingerprint

SHA-256 hash of normalized error type, message template, and canonical stack frames. Refactor-stable.

Gate

One of five sequential validation checks (File, Rate, Infra, Feature Flag, Duration). Strict-AND composition.

Receipt

Tamper-evident, cryptographically verifiable event conforming to DSR/1.0. Sealed at issuance; core and lifecycle types carry an Ed25519 signature, exception types carry a SHA-256 content hash.

Receipt class

R0, R1, R1-L, R1-N, R2-F, R2-R. See Appendix A.

Schema delta

Typed structural change extracted from a merged PR diff. Stored on the UPG node; raw diff content discarded.

Schema Deduction Engine (SDE)

Four-phase deterministic attribution pipeline: ingest, AST parse, fingerprint, CCS match.

Service zone

Logical boundary aligned with pub/sub topic or domain. Cross-zone breaks score higher on factor W6.

Signing key

Tenant-scoped cryptographic key used to sign receipts at issuance. Rotated per documented schedule.

Trust gate

See Gate.

Upstream Producer Graph (UPG)

Directed graph of schema-producing services and their downstream consumers, built from merged PR diffs.

Vault

Logical receipt container scoped to one customer environment. Backed by products table. Cryptographically isolated.

Verifier CLI

dsr-verifier-cli — open-source tool that verifies receipt signatures offline. Forward-compatible across MINOR DSR versions.

W1–W8

The eight factors of the CCS. W1 field overlap (0.30), W2 temporal proximity (0.17), W3 blast radius (0.13), W4 error type match (0.13), W5 author history (0.08), W6 zone boundary (0.07), W7 producer graph distance (0.07), W8 schema stability (0.05). Weights sum to 1.00. Per-vault weight overrides are governance-controlled.

§16 / APPENDICES

Reference tables, taxonomies, status codes.

Appendix A · Receipt class taxonomy

Class	Name	Trigger	Retention
R0	Ingestion	Webhook successfully received and parsed	Configurable; Enterprise tier only
R1	Attribution	CCS ≥ 0.80, all gates pass	Configurable per tier
R1-L	Low-confidence attribution	0.60 ≤ CCS < 0.80; exception receipt	Configurable; Standard tier and above
R1-N	Negative attribution	CCS < 0.60; no PR above low-confidence floor	Configurable; Standard tier and above
R2-F	Fix-confirmed	Fingerprint resolution observed in graph	Configurable
R2-R	Recurrence	Same fingerprint re-fires post-fix	Configurable

Appendix B · Verifier CLI exit codes

Code	Meaning
0	Verified. Signature matches; receipt is authentic and untampered.
1	Signature mismatch. One or more `fields_signed` have been modified post-issuance.
2	Fingerprint inconsistency. The receipt's fingerprint does not match its declared canonical form.
3	Schema validation failed. Receipt is missing a required field or has a malformed type.
4	Unsupported DSR version. The receipt is signed under a MAJOR version this CLI does not support.
5	Signing key not found. The signing key referenced by the receipt is not in the local trust store.

Appendix C · Error type taxonomy (canonical names)

→KeyError — Field-access failure; primary signal for W1 schema overlap.
→TypeError — Type mismatch; strong signal for W4 error type match.
→SchemaValidationError — Explicit schema validator failure; strongest W4 signal.
→NullPointerException — Null dereference; W4-eligible.
→UndefinedReferenceError — Symbol not found in scope; W4-eligible.
→SerializationError — Encode/decode failure across schema boundary; W1 + W4 eligible.

The full taxonomy is versioned with the DSR specification. New error types added in MINOR versions are backward-compatible.