Why Déjà · cryptographic evidence custody

No magic. Just math.

Observability detects the fire. Déjà documents the cryptographic chain of custody — and proves exactly how it was extinguished. Deterministic analysis, a eight-signal Causal Confidence Score (W1–W8) summing to 1.00, and an Ed25519-signed receipt in an immutable, append-only, tamper-evident ledger.

No LLM. No probabilistic guessing. No “AI that might be right.”
No postmortem narrative your audit firm has to take on faith — verifiable offline with the open CLI.

DSR/1.0 · lookup_loopDeterministic
Sub-process of the pipeline · runs inside the Deduce stage (Ingest → Deduce → Score → Sign → Close)
#1 · Fingerprint✓ computed
trace_hash = sha256(“errorType‖serviceZone‖normalizedMessage”)
output = fp://a1c3_3e44_b772

#2 · Lookup✓ matched
query = vault.match(fp)
prior = incident_04hcz8 · 142d ago

● Match · verifiedCCS 0.94 · W1–W8
causal_prPR-4611
author@payments-team
gates_passed5 / 5
receiptR1 · signed
lookup time: 0.87sconfidence: HIGH

The structural problem

Most firms reconstruct evidence at audit time.

Most compliance teams reassemble incident evidence weeks after the fact — from Slack threads, Jira exports, and memory. Custody fixes the architecture: the receipt is signed at the moment of attribution, not the moment of audit.

Reconstruction isn’t a process weakness — it’s an architecture. Evidence assembled weeks after the fact, from recollection, can’t be verified by anyone. Custody fixes the architecture: the evidence is signed at the moment of attribution, not the moment of audit.

Evidence reconstruction · current statemanual · weeks per audit
  • ·Audit firm asks for incident-response evidence for Q2. Compliance starts pulling Jira tickets, Slack threads, monitoring snapshots, PagerDuty exports, PDF postmortems.
  • ·Evidence is reassembled two-to-four weeks per audit cycle, four cycles per year, by senior compliance and engineering staff.
  • ·Context lives in engineers’ heads. People leave; context goes with them. Reconstructed evidence reflects best recollection, not signed primary record.
  • ·Auditor receives prose narrative + supporting documents. No way to verify offline. No way to verify the firm didn’t curate the evidence.
Evidence custody · Déjàsigned · at incident time
  • Production incidents produce a cryptographically signed receipt at the moment of attribution — fingerprint, causal change, gate scores, framework scope.
  • Your audit firm runs the open dsr-verifier-cli on their own machine — KPMG, Deloitte, EY, PwC, BDO, Grant Thornton, or any independent firm. No Déjà account required.
  • Audit-ready chain of custody, tamper-evident. Even the failures are on the record — low-confidence attributions, no-matches, failed resolutions, recurrences.
  • Evidence stays valid for decades, durable across regulatory cycles. Verifiable even if Déjà disappears.

Why trust a machine’s claim

A signed “resolved” has to earn its signature.

The skeptic’s real question isn’t “can you sign things” — it’s why does a signed resolution mean anything? Because before an R2 receipt is issued, the fix passes five operational validation gates. If it doesn’t, Déjà signs that instead.

File Gate

Matches only if the fix actually touched relevant files. Rules out superficial code colocation.

file_gate · 0.91

Rate Gate

Regression rate drops after the fix window. Proves the fix actually reduced failure volume.

rate_gate · 0.87

Infra Gate

Rules out infrastructure noise and deploy artifacts. Separates code fixes from environment drift.

infra_gate · 0.95

Feature Flag Gate

Correlates fixes to rollout conditions, so flag toggles don't masquerade as code fixes.

flag_gate · 1.00

Duration Gate

Verifies fix stability over time. A signed receipt is always issued; the duration result is recorded as a gate field within it.

duration_gate · 0.83

This is the part nobody else does: when a gate fails, the failure is signed too. A fix that didn’t hold becomes an R2-F; an incident that comes back becomes an R2-R, chained to its original. Tools that only record successes are marketing. Evidence is whatever happened.

What it’s worth

What the status quo actually costs.

Engineering hours reclaimed

Regulated-firm teams describe audit prep consuming multiple FTE-weeks per cycle — searching Slack for incident context, screenshotting Jira, copying deployment logs into spreadsheets, annotating evidence bundles before the auditor arrives. The cost compounds across SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, and SR 11-7 engagements. With custody, that time returns to product work — evidence accumulates automatically, on every merge.

Qualitative · from Déjà’s conversations with regulated-firm engineering teams

An audit-finding category eliminated

The output of reconstruction is unsigned, unverifiable, and reassembled under deadline pressure — which is why “evidence reconstruction was manual” is its own recurring finding category. Cryptographically verifiable, tamper-evident receipts remove the category by construction: there’s nothing to reconstruct, because the record was signed at the moment of attribution.

Claim by construction · property of signed-at-attribution evidence

Framed honestly: these are attributed, qualitative claims — not measured statistics. The measured numbers (1.6s median attribution, <60s signal-to-receipt) live on How it works, where the pipeline that produces them is explained.

Evidence in. Secrets out.Déjà reads transient webhook diffs and error payloads. It never clones your repository, reads historical files, or accesses runtime data — stable IDs for incidents and fixes, no sensitive payloads, an immutable evidence trail suitable for regulated environments.Full security posture →

What makes this a new category

The architecture that didn’t exist before.

Nothing in the existing stack produces signed, deterministic, offline-verifiable receipts at the moment of incident attribution. GRC platforms map controls. Observability detects symptoms. Manual reconstruction reassembles narratives at audit time. Déjà writes the receipt at the moment of attribution, signs it, appends it to a tamper-evident ledger, and lets your audit firm verify it offline — without us in the loop.

The mechanism, in one line

Deterministic analysis at merge time builds the producer graph; at error time the engine looks up the cause, scores it with the eight-signal CCS (W1–W8), and issues an Ed25519-signed DSR/1.0 receipt — same inputs, same answer, every time. The full walk-through, with the pipeline and a real timeline, lives on How it works →

Eight scoring signals — W1 through W8

Weights from canon.ts CCS_FACTORS — verbatim, summing to 1.00.

W1Field Overlap0.30
W2Temporal Proximity0.17
W3Blast Radius0.13
W4Error Type Match0.13
W5Author History0.08
W6Zone Boundary0.07
W7Producer Distance0.07
W8Historical Schema Stability0.05

Zero-trust principle · the category definition

Receipts are independently verifiable. No implicit trust is required between Déjà, the customer, or the audit firm. The signature is the contract; the verifier is the proof; the append-only ledger is the chain. If Déjà were compromised or shut down, your receipts continue to verify — the logic runs in your audit firm’s own copy of dsr-verifier-cli, offline. This is the property that defines the category — and the property no other category preserves.

Stop reconstructing evidence at audit time.

Cryptographic incident-evidence custody. Signed at attribution. Verifiable offline by your audit firm. Durable across regulatory cycles.

14-day trial · no card required · trial receipts watermarked