Every paid report includes an evidence-coverage table. PR Replay is
a merged-history replay, so it answers structural axes and marks
identity, authority, and approval axes out of scope instead of
inventing them.
Who acted?
Out of scope. Git authors stay in your git log; replay does not re-derive identity.
What authority existed?
Out of scope. Continuous Review records modes, permits, leases, and policy decisions.
What context was read?
Partial. Commit range, changed files, graph context, and detector set are disclosed.
What changed?
In scope. Per-PR files, changed subjects, and structural findings are reported.
What could break?
In scope. Blast radius, callers, tests, vulnerable paths, and detector hits are replayed.
What policy applied?
In scope. Default detector policy or your provided rule file is named in the report.
What verified it?
Partial. Replay command, detector versions, and report artifacts are captured; tests are not rerun.
Who accepted risk?
Out of scope. Approval remains producer_not_available unless your source system supplies it.