logomesh 0.1.0

Reproduce Sentry crashes as failing pytest tests — sandbox execution, verified evidence

logomesh

The repro layer for backend code.

When your service crashes in production, logomesh reproduces the failure deterministically in an isolated sandbox, writes a failing test against your current branch, and opens a draft PR. Zero LLM in the test bytes. Silence when we can't verify.

Python today. Node, Java, Go, C# shipping through 2027.

---

How it works

1. Sentry fires. You point a Sentry webhook at us.
2. We fetch the frame. Innermost in-app frame, locals, breadcrumbs, trace id.
3. We synthesize the test. Deterministic Python — no LLM touches the test bytes.
4. We run it in Docker. Airgapped, nobody user, read-only rootfs, 128 MB cap, no network.
5. We verify. Sandbox must raise the same exception type Sentry captured. If it doesn't, we refuse to ship evidence.
6. We open a PR. Failing test attached. Optional: sealed audit artifact with SHA-256 stamp and control mapping.

Everything outside the test bytes — which tool to call, when to give up, how to recover from a source-not-found — is handled by a LangGraph agent layer. The agent is advisory; the sealed evidence path is contract-enforced.

Sentry webhook  →  Agent (LangGraph, 10 tools)  →  Deterministic synth  →  Docker sandbox
                                ↓                                              ↓
                    Advisory reasoning (audited)              Sealed test + verdict artifact
                                                              → draft PR + Sentry comment + optional Slack

Why it's different

Every other "AI for bugs" tool hands you LLM-generated output and hopes it's right. Good for velocity, useless for an auditor.

logomesh's contract:

• Sealed evidence path. evidence_path_seal.llm_in_evidence_path: false. The pytest in the artifact is a pure function of (frame, source, sandbox_image).
• Verified exception match. The sandbox must raise the exact exception type Sentry captured. Anything else refuses to ship as evidence.
• Silence on mismatch. When the agent can't reproduce at fidelity, we flag for human review. We never claim a verdict the seal doesn't support.
• No opaque test bytes. Every byte in the artifact traces to a deterministic source.

You get the repro, the PR, the proof — or an honest "we can't reproduce this cleanly" with a structured reason.

---

Pricing

Three tiers. Published. No "contact us" unless you're Enterprise.

Starter — $9,000/yr

For engineering teams that want repro + draft PRs for every Sentry crash.

• 1 Sentry project, 1 GitHub repo
• Unlimited events (fair-use cap 50/day)
• Repro artifact + draft PR
• Community support
• Self-serve signup

Core — $27,000/yr

For teams that want sealed artifacts and compliance-ready output.

• 3 Sentry projects, 3 GitHub repos
• Sealed artifact (SHA-256 stamped, deterministic, refusal-on-mismatch)
• Slack + Sentry + GitHub comment integrations
• Priority support (4-hour SLA)
• Drata / Vanta integration (read-only evidence push)

Compliance Pro — $54,000/yr

For teams in active SOC2 Type 2 or PCI DSS 4.0 cycles.

• Everything in Core
• SOC2 CC7.3 + CC7.4 and PCI DSS 12.10.5 control mapping on every artifact
• QSA letter-of-alignment for your named auditor
• Custom control narrative per organization
• Dedicated customer-success contact
• Annual audit-cycle support

Enterprise — custom

VPC deploy, SSO, HIPAA BAA, custom SLAs, multi-region. Talk to us.

---

What it reproduces well

Input-validation bugs. NoneType mismatches. Decimal precision errors. Off-by-one. Type-coercion bugs. Ordering / idempotency issues. Anything where the inputs that crashed the call are captured in the Sentry frame.

What it doesn't

• Race conditions (frame locals don't capture thread interleaving)
• Distributed-transaction failures spanning services
• Bugs that depend on specific DB row state or Redis content
• External-API behavior (sandbox auto-mocks Stripe/Redis/etc. for isolation)
• Timezone/DST (sandbox runs TZ=UTC)

When we can't reproduce, we say so. The refusal is logged in the audit trail with a structured reason. We publish hit rate by category; we don't guess.

---

Roadmap — languages

Language	Status	Notes
Python	GA	FastAPI, Django, Flask, SQLAlchemy, Celery, Stripe
Node / TypeScript	Q2 2026	Jest + Vitest; source-map-aware
Java	Q3 2026	JUnit 5 + Spring Boot + Maven/Gradle
Go	Q4 2026	Requires optional capture SDK for full locals
C# / .NET	Q1 2027	xUnit + .NET 8 + ASP.NET Core

The agent layer is language-agnostic. Each language port is the synthesizer + sandbox image + AST parser — roughly 3-6 weeks per language.

---

Quick start (self-serve, Starter)

# 1. Sign up at logomesh.dev/start  →  get an installation_id and client_secret
# 2. Add the webhook in Sentry:
#    Settings → Custom Integrations → New → Webhook URL:
#    https://api.logomesh.dev/webhooks/sentry/{installation_id}
#    Client Secret: {client_secret from signup}
# 3. Paste your GitHub PAT (repo scope) and target repo in the dashboard.
# 4. Trigger a test event. Watch the verdict land as a comment.

Quick start (self-host, advanced)

uv sync
docker build -t logomesh-startup-sandbox:latest -f Dockerfile.sandbox .
cp .env.example .env  # fill in keys
LOGOMESH_ENV=production uv run uvicorn src.server.app:app --port 8080

See docs/pipeline.md for the full walkthrough.

---

Under the hood

• logomesh_orchestrator.py — LangGraph supervisor + 10 typed tools (fetch / repro / critic / context / web / rag / artifact / PR / env / hypothesis)
• src/oracles/sentry_replay_v2.py — deterministic frame-locals → pytest synthesizer (no LLM)
• src/business_logic/sandbox/ — Docker runner, hardened, production-only (no subprocess fallback)
• src/core/installation_secrets.py — AES-256-GCM per-installation secret store
• src/core/pii_redactor.py — PAN (Luhn-validated), SSN, email, JWT, API keys, field-name scrubbing — runs before any LLM call and before any byte lands in the artifact
• src/core/usage_tracker.py — per-run token budget + cost cap + Supabase usage logging
• src/server/ — FastAPI app, multi-tenant webhook routing, output-channel posters

---

Privacy & security

• No code training. LLM calls go to your configured provider under their zero-retention API terms.
• PII redaction at source. Runs before any LLM call and before any byte is stamped. See src/core/pii_redactor.py.
• Sandbox isolation. Airgapped Docker, nobody user, read-only rootfs, no network, 128 MB cap. Production refuses to boot without Docker — no subprocess fallback.
• Per-installation encrypted secrets. AES-256-GCM, migration-ready for Supabase Vault.
• Sub-processors (public): OpenAI, Anthropic, Tavily, Sentry, GitHub, Supabase, AWS. Listed at logomesh.dev/sub-processors.
• SOC2 Type 1 targeted Q4 2026. Type 2 targeted Q3 2027. PCI responsibility matrix available on request.

Compliance

On Compliance Pro, every artifact carries:

• Control mapping: SOC2-CC7.3, SOC2-CC7.4, PCI-DSS-4.0-12.10.5
• Deterministic test hash (SHA-256)
• Sandbox image digest
• llm_in_evidence_path: false attestation
• Evidence chain narrative auto-generated from the incident

We do not claim PCI DSS 6.3.2 (pre-release code review). logomesh fires post-incident; that's a different control.

---

Status

Pilot, taking design partners. First 5 customers get 20% off year 1 + named-design-partner status. Email founders@logomesh.dev or book a demo at logomesh.dev/demo.

License

Proprietary. Source available for design-partner due diligence.