How AuditSpine audits AuditSpine.
AuditSpine seals what happened, who did it, and the rule that governed it — at the moment it happened, in a form anyone can independently verify later. CircleSpine is the loop that observes it doing so. We’re our own first customer; what works here is what we offer.
1. AuditSpine, in one sentence.
AuditSpine is trust infrastructure: a sealed record of the data, the action taken on it, and the rule in force — bound together cryptographically so the record can’t be silently re-written, and the verification doesn’t depend on us being around to vouch for it.
Built on five-level assurance and the SAO · COS · VAL seal protocol (ADR-0018), with config-source provenance gates that make every external input traceable to its source.
2. CircleSpine, in one sentence.
CircleSpine is the always-on continuous-audit circle that observes a delivery circle (sessions, builds, deploys, decisions) and seals what it sees — in flight, not retroactively. Two interlocking circles, one substrate.
3. The four workstreams (our Customer-Zero engagement orbit).
Open the portal and you’ll see four workstreams — this is AuditSpine proposing how AuditSpine helps AuditSpine. They run in parallel, each one a sealed circle of its own:
- Sealed Software Delivery — every commit, build, test, deploy carries provenance and version evidence.
- AI-Agent Execution Assurance — agent policy, model version, decision conformance, human-oversight coverage, all sealed.
- Historical Self-Audit — sealed daily activity per agent and sealed PI/sprint history, derivable end-to-end from the chain.
- Internal JOA Self-Audit — sealed role assignments, decision authority, and lane attribution — with no agent able to post as another.
4. The lens system — same chain, every audience.
One sealed chain serves every stakeholder. Each lens-holder sees what their policy authorizes them to see, verify, and reseal:
| Lens | Sees |
|---|---|
| Customer | their own deliverables and seal chain |
| Prospect | representative examples (no actuals) |
| Finance / funder | burn, value delivered, capitalization |
| Compliance | governing rule in force, policy conformance |
| Executive | velocity, risk, decisions under what authority |
| Insurance carrier | underwriting evidence — what, by whom, under what rule, when |
| License / enforcement | attribution and consent — who built what, under what terms |
Every lens-holder is both consumer and witness. Click a cryptographic key, unseal the packet, verify, reseal — your signature becomes part of the chain.
5. Why this becomes infrastructure.
Two things are happening in the world at once. Software is increasingly written and operated by autonomous agents, and the systems that depend on it — finance, insurance, regulation, journalism — can no longer trust their own trail. AuditSpine and CircleSpine are designed for that future: sealed, independently verifiable, portable to the air-gapped network if you need to take it offline.
- For funders: a sealed record of capital deployed against value delivered, in a form your LPs and auditors can re-verify without re-trusting you.
- For insurers: underwriting evidence on AI-agent execution — what the agent did, by whom, under which model version, against which rule.
- For regulators: governing-rule-in-force sealed alongside the action, not reconstructed after the fact.
- For everyone: the URL is the capability, the seal is the proof, and the chain is the receipt.
6. What you’re looking at, right now.
This portal — app.auditspine.com — is the demonstration. Sealed at every
layer (Firebase Identity Platform, sealed config, sealed delivery), gated by a deny-by-default policy,
and served under explicit transport security. The four workstreams you’ll see in the portal aren’t
mockups — they’re the engagement orbit AuditSpine commits to perform for AuditSpine, derived
directly from the engagement contract on file.