TraceMap

Public demo runbook

Run the demo, follow the evidence, and stop before the claim gets bigger.

This is an operator checklist for the public demo. It helps a reader run checked-in samples, inspect public-safe summaries, trace one row through proof paths, and decide what can be shared.

Public claim level: demo. Shared site principle: No public conclusion without evidence. The runbook is a checklist over existing public demo proof surfaces, not a product capability page, production diagnostic, release procedure, runtime verification guide, or scanner implementation guide.

Operator checklist

Use this sequence before sharing a public demo result.

1. Prepare a clean public checkout

Start from the public repository and choose an ignored or temporary output directory. Keep the output location neutral in notes and examples.

Output placeholder: <ignored-output-dir>.

2. Run the checked-in workflow

Run the public demo script that is checked into the repository. Do not modify the script to create a stronger public claim.

Script: scripts/demo-public.sh.

3. Inspect public-safe summaries first

Open the generated public-safe summary before opening local-only scan artifacts. The summary is a presentation layer over deterministic evidence, not a replacement for evidence rows.

Compare with: current demo result.

4. Review row status

Compare generated rows against the result guide and upgraded-row ledger before repeating any status claim.

Check: result guide and proof upgrades.

5. Follow the evidence

Pick at least one row and follow it through the evidence trail and proof path index before saying why it is evidence-backed or gap-labeled.

Trace: evidence trail and proof paths.

6. Validate and limit the share

Read the validation and limitations pages before sending output outside the local review context.

Gate: validation and limitations.

Run

The command is reproducible, but the claim still needs review.

The command source is the checked-in public demo script. The output directory is deliberately shown as a placeholder so the runbook does not publish workstation details. 

# From a clean public checkout.
./scripts/demo-public.sh <ignored-output-dir>

Publish stop condition

Stop instead of repeating an unsupported claim.

Artifact boundary

Share summaries only after the public-safety checks pass.

demo-summary.mdShareable only when produced from checked-in public demo samples and reviewed after sentinel/private-text checks pass.
demo-summary.jsonShareable as public-safe row metadata when it keeps rule IDs, evidence tiers, coverage labels, reasons, and limitations visible.
report-family Markdown/JSON summariesShareable only when generated from public demo samples and reviewed as public-safe summaries.
scan-manifest.jsonLocal-only raw scan identity and coverage context unless a future sanitized sample explicitly checks in safe output.
facts.ndjsonLocal-only raw fact stream. Public copy can summarize rows, not publish raw facts.
index.sqliteLocal-only queryable index. Combined SQLite files stay local-only.
report.mdLocal-only when generated from private or unchecked inputs; reviewed public-safe reports are the shareable layer.
logs/analyzer.logLocal-only diagnostic output for extraction and coverage troubleshooting.
raw source snippetsLocal-only. Share file paths, line spans, snippet hashes, rule IDs, and limitations when a public-safe artifact exposes them.
raw SQL, config values, secretsLocal-only categories. Do not publish values, credentials, environment details, or database text.
local absolute paths, raw repository remotesLocal-only categories. Do not put machine locations or raw remote values in public copy.
generated scan directories, private sample namesLocal-only categories unless a public-safe sample name is checked in and cited by the public demo route.

Evidence checklist

Every shareable conclusion stays attached to deterministic evidence.

Rule IDsVerify the row cites a rule ID such as public.demo.summary.v1 before summarizing it.
Evidence tiersVerify the tier, such as Tier1Semantic, Tier2Structural, Tier3SyntaxOrTextual, or Tier4Unknown.
Coverage labelsTranscribe labels case-sensitively from the cited artifact, including examples such as full, partial, reduced, unknown, PartialAnalysis, not_requested, or unavailable only when present.
GapsKeep gap-labeled rows visible. Do not turn reduced, unknown, unavailable, or partial coverage into clean wording.
Proof pathsLink the claim back to proof paths or the relevant public demo route.
Source contextUse checked-in public sample sources and public-safe summaries for shareable demo conclusions.
LimitationsKeep the documented limitation beside the claim instead of moving it to a footnote.

Claim-safe sharing

Use wording that keeps the evidence boundary intact.

Safe wording

static evidence from checked-in public demo samples.

rule ID <id>, Tier2Structural, public demo coverage only.

gap-labeled row: partial coverage, no clean reducer conclusion.

Red flags

Avoid runtime behavior, production traffic, endpoint performance, outage cause, release safety, operational safety, AI impact analysis, LLM analysis, and complete product coverage wording.

Avoid impact wording for a demo row unless a deterministic reducer output and cited evidence row support that bounded claim.

Escalation rule

When a claim would require runtime telemetry, production deployment facts, customer traffic, external incident context, or release policy, link to limitations instead of making the claim.

Non-claims

Demo evidence can route review and inspection, not approve work.

Bridge routes

The runbook connects existing proof surfaces without replacing them.

Demo walkthrough Current demo result Demo evidence trail Demo proof upgrades Proof path index Validation Limitations Demo script source