Skip to content

30-day pilot

A regulated support-to-engineering pilot, with no NPI in the middle

In 30 days, turn user-reported bugs from a regulated app into privacy-safe, reproducible engineering evidence — a scrubbed trace, a replayability score, sanitized diagnostics, a Playwright repro, and ticket/PR drafts — without capturing screens, input values, or page text. Self-hosted and open source, so your reviewers can verify every line.

Who it is for

  • Regulated financial-services teams where support escalations to engineering must carry zero NPI.
  • Microsoft tenants standardizing on Copilot Studio / Power Platform for agent workflows.
  • Risk, compliance, and model-risk reviewers who need evidence they can read, not certificates to trust.

What gets installed

Ingest API

Self-hosted on Railway (or any OCI host) with the financial-services-enterprise scrub profile. You hold the keys; StepStitch holds no system-of-record credentials.

Tracker SDK

@stepstitch/tracker mounted behind a consent gate in the app the support team supports.

MCP connector

Read-only / draft-only tools for Copilot Studio, Claude, or any agent network.

Compliance packet

COMPLIANCE-EVIDENCE.md generated from the live scrub policy, plus the named tests that back each control.

What you get by day 30

  • A working report → scrub → score → repro → draft → verified-fix loop on a real support flow.
  • A folder of scrubbed traces with per-trace scrub reports proving no NPI was persisted.
  • Deterministic Playwright reproductions your engineers can run in CI as regression tests.
  • ServiceNow incident + Salesforce case + GitHub issue drafts, created but never auto-sent.
  • A confirmed-fixed regression corpus: bugs that went red in CI before the fix and green after.

Mode A — Power Platform native connectors

default for Microsoft tenants

Copilot Studio calls the read-only export-preview endpoint, gets a flat draft, and maps it onto Microsoft's native ServiceNow/Salesforce connectors as a human-approved step. StepStitch never holds system-of-record credentials.

Mode B — governed direct-write

for paths not on Power Platform

StepStitch posts the sanitized draft itself — off by default, admin-only, dry-run by default, requires a named human approver + idempotency key, fully audited, and never on the agent surface.

The compliance evidence packet

Hand your reviewer the packet generated from the live scrub policy — it cannot drift from what the server actually enforces. It crosswalks the controls to SEC Reg S-P (2024), the 2026 interagency model-risk guidance, and NIST AI RMF, and names the test that backs each one.

Success criteria

  • Zero NPI in any persisted trace, draft, or exported record (provable from the scrub reports).
  • Median time from support ticket to a runnable engineering repro measurably reduced.
  • Every escalation carries a replayability grade so engineering knows what is reproducible.
  • At least one bug taken from report to confirmed_fixed regression evidence.