Static Claim Gap Report

A green check is not a trust decision.

A signature can prove bytes were not changed. A test can prove one check passed. A log can prove one event happened. None of that tells you how far the claim is allowed to travel.

Integrity is about bytes. Was the packet changed after signing?
Trust is about policy. Is the signer and evidence source acceptable here?
Reliance is about context. Can this evidence carry this claim for this decision?

Claim Gap Report

Assay catches the moment evidence gets stretched into a promise.

BELOW PROOF FLOOR

Original Claim

"This AI PR gate approved the change."

Claim Source Synthetic demo claim
Claimant Anonymized example
Approval Status Not claimant-approved

Verdict

CLAIM EXCEEDS EVIDENCE

The packet is intact and the declared check result is supported, but the evidence does not meet the proof floor for customer-facing assurance.

Evidence Provided Signed packet for commit abc123
Decision Profile Example Buyer Security Review Profile
Report Status Demo specimen, not claimant-approved

What The Evidence Supports

  • The packet is intact.
  • The declared check result applies to commit abc123.
  • The claim text was not modified after signing.
  • The stated policy version was attached to the packet.

What It Does Not Support

  • Code is safe.
  • Production approval occurred.
  • Legal or compliance approval was granted.
  • Signer authority was independently established.
  • Replay confirmed the result.

Claim Gap

The original claim is broader than the evidence. The evidence supports an intact declared check result, not customer-security reliance.

Proof Floor

Policy Owner Example Buyer Security Review Profile
Required Proof Floor T1_REPO_COMMITTED_SIGNER
Observed Proof Floor T0_SELF_SIGNED
Result BELOW_PROOF_FLOOR

Assay-Suggested Defensible Claim, Not Claimant-Approved

"This packet is intact and supports the declared check result for commit abc123. Signer authority and replay were not independently evaluated."

Claimant-approved: no. A claimant can accept this narrower claim, dispute it, or provide stronger evidence.

Gaps Blocking The Broader Claim

  • SIGNER_GAP: CI-held signer or repo-committed key not established.
  • REPLAY_GAP: Independent replay evidence is absent.
  • SCOPE_GAP: PR gate result is being stretched into code safety.
  • AUTHORITY_GAP: Production approval authority is not shown.

Challenge

  • Provide CI-held signer evidence.
  • Commit the public key under branch protection.
  • Attach a replay transcript for the declared check.
  • Add an external anchor or transparency-log bundle.
Claim-specific No global project rating.
Evidence-specific No trust without receipts.
Profile-specific The decision context sets the floor.
Time-bound Artifacts can become stale.
Challengeable Every gap has a repair path.

This report does not decide whether the original claim is true. It shows what the available evidence can carry, what it cannot carry, and what evidence would close the gap. That is the difference between a green check and a trust decision.

Renderer invariant Public reports must not display a named real-world claimant beside CLAIM EXCEEDS EVIDENCE unless the claim wording is claimant-approved, signed, or the report is private/internal.