SignedPacks
Controlled change, never silent
Approved improvements become signed, verified, shadow-tested, rollback-safe packs before any controlled use — never a silent or automatic production change.
Step 01
Proposal ready
A reviewed improvement proposal becomes eligible for pack creation — nothing is applied.
Inputs
- Approved improvement proposal
- Evidence references
- Risk review
- Shadow validation plan
- Rollback requirement
- Customer review status
Proof generated
- Proposal-ready receipt
- Source evidence list
- Pack eligibility state
Where it appears in the app
- Improvements
- EvidenceWorks
- Governance
AI Sense support
- Checks for missing evidence
- Flags a missing rollback plan
- Flags an unsupported claim
Safety boundary
- Proposal readiness does not apply a change.
Step 02
Pack built
A deterministic, hashable pack is built from the approved proposal — building is not installing.
Inputs
- Manifest
- Target station scope
- Proposal reference
- Risk review reference
- Shadow validation requirements
- Rollback plan reference
- Customer summary reference
- Artifact hash
Proof generated
- Pack manifest hash
- Artifact receipt
- Build receipt
- Omissions list
Where it appears in the app
- SignedPacks
- Improvement proposals
- Governance
AI Sense support
- Detects manifest gaps
- Flags a mismatched proposal scope
- Lists the omissions
Safety boundary
- Building a pack does not install or activate it.
Step 03
Signature required
An unsigned pack is inspect-only and can never be activated.
Inputs
- Authorized signer
- Pack hash
- Signing policy
- Signer role
- Expiration policy
- Revocation check
Proof generated
- Signature-required receipt
- Signing policy reference
Where it appears in the app
- SignedPacks
- Governance
- Trust
AI Sense support
- Flags a missing signer authority
- Flags an expired signing policy
- Flags an unsigned pack
Safety boundary
- An unsigned pack cannot be activated.
Step 04
Signed
The signing receipt records the public-key fingerprint and never the private key.
Inputs
- Signature receipt
- Signer reference
- Public-key fingerprint
- Signed pack hash
- Timestamp
Proof generated
- Signature receipt
- Signer reference
- Public-key fingerprint
- Signed pack hash
- Timestamp
Where it appears in the app
- SignedPacks
- Governance
- Trust
AI Sense support
- Checks a signer-role mismatch
- Flags an expired key
- Flags a missing receipt chain
Safety boundary
- Signing records authorization; it does not command hardware.
Step 05
Verified
The pack is cryptographically verified before any controlled use — verification is not activation.
Inputs
- Signature validity
- Pack hash match
- Signer-not-revoked check
- Artifact-not-tampered check
- Policy version
- Scope-matches-proposal check
Proof generated
- Verification receipt
- Policy check result
- Hash-chain status
Where it appears in the app
- SignedPacks
- Trust
- Ops metrics
AI Sense support
- Flags a verification failure
- Flags a scope mismatch
- Flags a revoked signer
Safety boundary
- Verification does not mean production-active.
Step 06
Shadow gate passed
A behaviour-changing pack must pass shadow validation before any controlled use.
Inputs
- Known-good sample result
- Known-bad sample result
- False-reject impact
- Escape impact
- Coverage regression
- Drift stability
- Sample-size minimum
Proof generated
- Shadow validation receipt
- Sample summary
- Known-bad coverage result
- Risk outcome
Where it appears in the app
- Improvement validation
- SignedPacks
- EvidenceWorks
AI Sense support
- Flags insufficient samples
- Flags missing known-bad coverage
- Flags a drift regression
Safety boundary
- A shadow pass does not activate production behaviour.
Step 07
Installed inactive
A verified pack may be installed inactive for inspection and staging — it changes nothing live.
Inputs
- Verified pack
- Station scope
- Artifact-present check
- Last verification
Proof generated
- Inactive installation receipt
- Station scope receipt
- Artifact-present receipt
Where it appears in the app
- SignedPacks
- Stations
- Ops metrics
AI Sense support
- Flags inactive-pack drift
- Flags a station mismatch
- Flags stale verification
Safety boundary
- Installed inactive does not change live routing, model behaviour, or PLC behaviour.
Step 08
Activation requested
Activation is a controlled request routed to human approval — never self-approval.
Inputs
- Verified signature
- Shadow gate pass
- Rollback plan
- Station eligibility
- Recovery-lock state
- Unresolved safety blockers
- Required approvals
- Effective window
Proof generated
- Activation request receipt
- Blocker list
- Approval requirements
Where it appears in the app
- SignedPacks
- Governance
- Commissioning
- Ops metrics
AI Sense support
- Explains the blockers
- Flags missing approvals
- Flags unsafe timing
Safety boundary
- An activation request does not apply the pack.
Step 09
Rollback ready
A signed rollback path must exist before any controlled use.
Inputs
- Previous pack reference
- Rollback trigger
- Rollback owner
- Rollback evidence requirement
- Customer communication plan
- Deadline
- Receipt chain
Proof generated
- Rollback readiness receipt
- Previous version hash
- Rollback path verification
Where it appears in the app
- SignedPacks
- Improvements
- Trust
AI Sense support
- Flags a missing rollback owner
- Flags a stale rollback reference
- Flags missing evidence
Safety boundary
- Rollback readiness does not change the station.
Step 10
Customer summary generated
A customer-safe impact summary is generated for review — the summary does not approve itself.
Inputs
- What changed
- Why it was proposed
- Evidence references
- Shadow validation result
- Risk review
- Rollback plan
- Known limitations
- Omissions list
- Approval status
Proof generated
- Customer-safe packet
- Known-limitations list
- Omissions list
- Review handoff receipt
Where it appears in the app
- SignedPacks
- SignalOps
- Trust
- Customer packets
AI Sense support
- Removes unsupported claims
- Highlights missing proof
- Prepares a customer-safe summary
Safety boundary
- The customer summary informs review; it does not approve itself.
AI Sense watches for gaps, never approves
AI Sense
One reading layer across every SignedPacks step
Observes evidence, finds missing proof, explains uncertainty, ranks human checks, and prepares handoffs — it never commands hardware.
Reads
- Evidence bundles
- Review events
- QA decisions
- Vision Twin drift
- Commissioning blockers
- Governance decisions
- Station registry
- Ops metrics
Produces
- Findings
- Evidence-gap warnings
- Work-package hints
- Commissioning questions
- Support summaries
Never
- No PLC writes
- No force PASS
- No recovery clear
- No robot commands
- No camera/light commands
- No production approval
- No evidence mutation
- No QA decision mutation
AI Sense observes evidence and guides humans — it records nothing and changes nothing. It does not command a station, write a PLC, clear recovery, reset safety, force a pass, approve production, sign off, or mutate any review, QA decision, commissioning, governance, evidence, or runtime state. Every recommendation is a suggestion for a human to carry out; the PLC and safety circuit remain authoritative.
Customer-safe summary
Proof by reference, never raw data
The redacted summary carries a plain-English account of the change, references, the shadow result, risk, the rollback plan, and an explicit omissions list — so a customer can review it without ever seeing raw internals.
- what_changed
- plain-English summary of the change
- why_proposed
- the reviewed reason, by evidence reference
- evidence_refs
- capsule + receipt references only
- shadow_result
- sample summary + known-bad coverage outcome
- risk_review
- risk class + reviewer requirements
- rollback_plan
- owner, trigger, deadline (references only)
- known_limitations
- what the pack does not claim
- approval_status
- signed / verified / activation-requested state
- omissions
- explicit list of what was withheld
The summary never contains raw PLC coils or registers, private keys or signing secrets, authority tokens, local file paths, raw internal command payloads, operator personal identity.
Signed-in teams run this operationally in the HoldField app, under SignedPacks — where a pack is built, signed, verified, shadow-tested, installed inactive, and activation is requested for human approval, and where every action records authorization but never commands hardware, applies the pack, or approves itself. Open the workspace →