30-day pilot
A regulated support-to-engineering pilot, with no NPI in the middle
In 30 days, turn user-reported bugs from a regulated app into privacy-safe, reproducible engineering evidence — a scrubbed trace, a replayability score, sanitized diagnostics, a Playwright repro, and ticket/PR drafts — without capturing screens, input values, or page text. Self-hosted and open source, so your reviewers can verify every line.
Who it is for
- Regulated financial-services teams where support escalations to engineering must carry zero NPI.
- Microsoft tenants standardizing on Copilot Studio / Power Platform for agent workflows.
- Risk, compliance, and model-risk reviewers who need evidence they can read, not certificates to trust.
What gets installed
Ingest API
Self-hosted on Railway (or any OCI host) with the financial-services-enterprise scrub profile. You hold the keys; StepStitch holds no system-of-record credentials.
Tracker SDK
@stepstitch/tracker mounted behind a consent gate in the app the support team supports.
MCP connector
Read-only / draft-only tools for Copilot Studio, Claude, or any agent network.
Compliance packet
COMPLIANCE-EVIDENCE.md generated from the live scrub policy, plus the named tests that back each control.
What you get by day 30
- A working report → scrub → score → repro → draft → verified-fix loop on a real support flow.
- A folder of scrubbed traces with per-trace scrub reports proving no NPI was persisted.
- Deterministic Playwright reproductions your engineers can run in CI as regression tests.
- ServiceNow incident + Salesforce case + GitHub issue drafts, created but never auto-sent.
- A confirmed-fixed regression corpus: bugs that went red in CI before the fix and green after.
Mode A — Power Platform native connectors
Copilot Studio calls the read-only export-preview endpoint, gets a flat draft, and maps it onto Microsoft's native ServiceNow/Salesforce connectors as a human-approved step. StepStitch never holds system-of-record credentials.
Mode B — governed direct-write
StepStitch posts the sanitized draft itself — off by default, admin-only, dry-run by default, requires a named human approver + idempotency key, fully audited, and never on the agent surface.
The compliance evidence packet
Hand your reviewer the packet generated from the live scrub policy — it cannot drift from what the server actually enforces. It crosswalks the controls to SEC Reg S-P (2024), the 2026 interagency model-risk guidance, and NIST AI RMF, and names the test that backs each one.
Success criteria
- Zero NPI in any persisted trace, draft, or exported record (provable from the scrub reports).
- Median time from support ticket to a runnable engineering repro measurably reduced.
- Every escalation carries a replayability grade so engineering knows what is reproducible.
- At least one bug taken from report to confirmed_fixed regression evidence.