Internal QA first
Dogfood Scout before asking anyone else to trust it.
Outbound validation is paused until install, report clarity, website story, and manual repo runs feel credible.
Success signal
“I would send this report without explaining it live.”
The current milestone is internal trust, not external outreach.
Protocol
Keep the QA loop concrete.
1. Install like a user
curl -fsSL https://orisan.org/install | sh
2. Run local repos
orisan scout orisan scout --repo /path/to/repo
3. Inspect artifacts
Read terminal output, Markdown, and JSON. Check payload_stored=false, git metadata, and report hash.
4. Decide readiness
Would we send this report to an AppSec engineer without explaining it live?
Feedback checklist
Did Scout run successfully?
How many findings did it produce?
Was the capability summary useful?
Were any findings wrong, noisy, or confusing?
Did Scout miss obvious repo-local AI-agent config?
Would this report help an approval or remediation workflow?
Would we send this externally without live explanation?
Copy paste
Internal run note.
Internal Scout dogfood note
Do not start outbound validation yet.
The product question is:
What can an AI coding agent in this repo read, execute, or change?
Install:
curl -fsSL https://orisan.org/install | sh
Run:
orisan scout
It writes:
orisan-scout-review.md
orisan-scout-review.json
Final gate:
Would we send this report to an AppSec engineer without explaining it live?