# AI Change Consequence Certificate procurement brief

## Offer

- Product: AI Change Consequence Certificate paid pilot
- Price: $99 founding pilot
- Term: 30 days
- Scope: one GitHub repository and up to ten real pull requests
- Buyer: engineering platform, AppSec, release, compliance, or engineering leadership

## Why buy now

AI-assisted pull requests move faster than human review systems were designed for. The pilot does not promise total engineering throughput. It promises a narrower, testable outcome: reviewers get a certificate before merge that shows affected tests, owner routing, scanner evidence, policy status, blockers, and explicit unknowns.

The buying question is simple: did at least three of ten certified pull requests become faster or safer to review?

## What the buyer receives

- GitHub Actions workflow for the pilot repository.
- Certificate on each pilot pull request.
- Merge passport on each pilot pull request with merge status, failed rules, rollback requirement, and post-merge observation requirement.
- Sample and real pilot artifacts with claim boundaries.
- Reviewer feedback collection for every certified PR.
- Final pilot summary with expand, extend, or stop recommendation.
- Security review summary and uninstall path.
- Data handling addendum with retention, deletion, optional ledger, and subprocessors boundary.
- Self-service pilot path for approval, checkout, installation, measurement, and uninstall.

## Approval evidence accepted

- Completed Stripe Checkout payment for the $99 founding pilot.
- Written approval from a named budget owner that references the paid pilot, price, and repository scope.

## Security and data boundary

- The public sample artifacts contain no customer source code.
- The pilot should run in the customer repository through GitHub Actions.
- Customer secrets stay in the customer CI environment unless the customer configures optional external sinks.
- Durable lead and revenue ledgers should use private operator repositories or signed internal webhooks.
- Lead, objection, approval, and revenue artifacts can be deleted or redacted on written request unless retention is required for accounting, fraud prevention, dispute handling, or legal compliance.
- This brief is not a SOC 2 report, legal contract, compliance attestation, or independent security audit.

## Objections and answers

| Objection | Answer |
| --- | --- |
| We already use AI coding tools. | This does not replace AI coding tools. It makes AI-assisted changes reviewable before merge. |
| We already use Semgrep, OSV, and CODEOWNERS. | The certificate assembles those signals with changed surface, tests, owners, blockers, and unknowns in one review artifact. |
| We do not believe the 1000x claim. | Do not buy on a 1000x total-throughput claim. The public proof is computational fanout evidence; the paid pilot is judged on three faster or safer PR decisions. |
| We are worried about source code exposure. | The pilot runs in GitHub Actions and should not store customer source code by default. The buyer can uninstall the workflow and revoke tokens after the pilot. |
| We cannot commit to a long contract. | The offer is a $99 fixed fee, 30-day founding pilot for one repository, not a long-term contract. |
| What if the workflow cannot be installed? | The order form pauses the pilot and reconciles before expanding scope if no real PR certificate can be produced. |

## Go or no-go rule

Approve the pilot only if the team has meaningful AI-assisted PR volume, a named owner for review risk, and willingness to measure ten real PRs. Continue after the pilot only if the final summary shows at least three faster or safer reviewer decisions, or a clear reason to stop.

## Links

- Pilot scope: `/pilot-scope.json`
- Order form: `/pilot-order-form.json`
- Security review: `/security-review.json`
- Data handling addendum: `/data-processing-addendum.json`
- Self-service pilot path: `/self-service-pilot.json`
- Install guide: `/install-guide.md`
- Install workflow: `/install-workflow.yml`
- Sample certificate: `/sample-certificate.json`

## Claim boundary

This procurement brief helps a buyer evaluate and approve a paid pilot. It is not a contract, invoice, legal advice, compliance attestation, payment receipt, customer revenue evidence, or proof of live production value.
