What Shipshape proof packs prove — and what they do not
A proof pack is a dated attestation of checks run under a policy. It is useful for launch decisions, but it is not a security guarantee.
A Shipshape proof pack is designed for honest handoff. It records enough to show what happened without exposing raw secrets, customer data, or private findings publicly.
What it proves
- Which URL was checked and when.
- Which Shipshape policy/profile was used.
- What authorization mode applied: passive, owner-verified, local/CI, or integration assertion.
- The launch invariant states: data leak, wallet drain, paid-user state, and agent DB change.
- A redacted report hash and optional HMAC signature.
What it does not prove
It does not prove the app is secure, compliant, insured, or free of vulnerabilities. It does not replace a penetration test. It does not cover login-only flows, private code, business logic, or future regressions unless monitoring/re-checks are configured.
FAQ
Is a proof pack a certification?
No. It is an attestation that specific checks ran at a point in time under a specific policy.
Why is the proof pack redacted?
So it can be shared with clients or teammates without exposing raw secrets, private table evidence, or customer data.
Related questions
- Is Shipshape legit? What it does and doesn’t do
- Supabase anon key vs service_role key: which is safe to expose?
- Is the Firebase apiKey a secret? (No — and here’s why)
- Can I just ask ChatGPT to check my app’s security?