How we prove it's
safe to merge.
Every automated merge rests on a chain of claims that used to be taken on faith. We turned each one into something checked — and closed the gap where a false green slips through.
| change | blast radius | verdict |
|---|---|---|
| lib/greet.txt | 7 targets | SAFE ✓ merged |
| api/handler.rs | 23 targets | building… |
| config.weak_test | cross-pkg | BLOCKED ✕ |
Five links, each one proven.
The graph is queried at the exact commit under test. A stale or failed load fails loud — it can never quietly return “nothing affected” and wave a change through.
provenThe dependency graph matches ground truth, validated against Bazel’s own query. What the loop believes about your code is what’s actually true.
provenThe agent scopes from the graph before it edits — blast radius first. Not a tool it might skip; a step it always takes.
provenThe affected-test set is a proven superset of what the change touches. Missed-affected = 0 is the hard gate — over-scoping only costs CPU.
provenThe guarantee holds across every repo in the fleet — forge, console, plugins — not one blessed sandbox.
provenAssurance you can audit.
Not a promise — an artifact. Each of these is measured, reproducible, and emitted by the platform itself.
The merge gate runs a proven superset of the tests your change can reach — computed from the real build graph, not a directory heuristic. A change can’t go green while breaking a test the naive path would have skipped.
Agents dispatch tools with a typed, Lean-proved witness — not a natural-language guess at the arguments. The proof travels with the call, so there’s no hallucination gap between intent and action.
SOC 2 evidence isn’t collected after the fact. It’s a content-addressed, write-once byproduct of how every change already flows through the control plane — builds, merges, deploys, all attested.