Undes
Get started
Get started
Back to Design Partner Beta

Synthetic example

Sample Undes Pro Trust Artifact

This sample shows the kind of report a Pro beta user should expect. It is synthetic, uses invented file names, and does not come from private customer code.

Apply for Pro beta access Back to Design Partner Beta

1. Task

Review an AI-generated authentication middleware refactor before merge.

Scenario: an engineer used an AI coding tool to refactor authentication middleware and wants to know whether the generated patch is safe to merge.

2. Trust verdict

Needs review The generated change is plausible, but Undes could not prove compatibility with legacy sessions or rotated signing keys.

3. Evidence used

Source Why it mattered
src/auth/middleware.tsMain token validation path.
src/auth/session.tsSession lookup and expiry behavior.
src/auth/cookies.tsCookie options and environment-specific settings.
tests/auth/session.test.tsExisting coverage for session behavior.
docs/auth-session-lifecycle.mdDocumented migration and token lifecycle assumptions.

4. Files checked

  • Token validation path
  • Session expiry behavior
  • Cookie handling
  • Error response behavior
  • Current test coverage

5. Assumptions found

  • The AI-generated patch assumes all sessions use the new token format.
  • It assumes cookie configuration is identical across environments.
  • It assumes expired-token behavior is already covered by tests.

6. What could not be proven

  • Compatibility with legacy sessions.
  • Behavior under rotated signing keys.
  • Production cookie configuration.
  • Whether downstream services depend on the previous error response format.

7. Critique

Simplification risk

The patch simplifies the middleware but changes one error branch.

Coverage gap

The test suite covers the happy path but not legacy-session fallback.

Migration risk

The migration risk is under-explained.

8. Open risks

  • Existing users may be logged out unexpectedly.
  • One branch may return 403 instead of the previous 401.
  • Missing regression test for expired-token refresh.
  • Staging and production cookie settings may diverge.

9. Recommended next checks

  1. Add a legacy-session regression test.
  2. Verify rotated signing-key behavior.
  3. Compare staging and production cookie settings.
  4. Confirm whether API clients depend on 401 vs 403 behavior.
  5. Rerun the review after tests are added.

10. Final recommendation

Do not merge as-is. The patch may be correct, but it needs targeted verification before production use.
Apply for Pro beta access Back to Design Partner Beta