How two deterministic, privacy-first tools — a form-filler that never guesses and a bug-recorder that never sees — combine to let artificial intelligence into a regulated enterprise without ever touching its data.
Regulated enterprises have been told they must choose. They can have the fluency of modern artificial intelligence, or they can keep their customers' data off a vendor's servers — but not both. This paper argues the choice is false. Two existing tools, built independently and to the same unusual creed, already contain the resolution between them. Trove fills forms without ever guessing. StepStitch reproduces software failures without ever seeing the screen. Read together, they describe a single machine: one that lets an AI reason about the shape of a task while remaining permanently blind to its substance — an x-ray that sees the skeleton and never the flesh. What follows is the case for building it.
Ask anyone who has tried to bring automation into a bank, an insurer, or a hospital, and you hear the same sentence in different clothes: "We can't send that to a model." The value a person copies from a distribution statement is a real account number. The form they fill is a real customer. The bug they report happened on a real screen with a real balance on it. The instant any of that leaves the machine — to a cloud model, an analytics endpoint, a session recorder — it has, in the eyes of a compliance officer, already leaked.
So regulated teams do the safe thing, which is the slow thing. They type. They screenshot and redact by hand. They describe bugs in prose that engineering can't reproduce. The tools that would help them are precisely the tools they're forbidden to feed. Modern AI, for this audience, has been an aroma under glass.
The usual escape hatches don't hold. On-premise models are expensive and quickly stale. "We'll just anonymize it first" fails the moment a free-text field carries a name. And the fig leaf of a data-processing agreement doesn't change the physics: once content is on a wire, it can be logged, cached, and subpoenaed. The honest constraint is not "be careful with the data." It is the data must never leave, and the model must never see it.
That sounds like a prohibition on intelligence. This paper's claim is that it is only a prohibition on content — and that content is not where the intelligence needs to look.
They were built for different jobs. One is a Windows desktop tool that fills forms; the other is a web service that turns bug reports into tests. On the surface they share nothing. Underneath, they were designed by the same conscience.
Look at what each instrument keeps and what it throws away, and the symmetry becomes hard to unsee. Trove holds a value it is sure of and asks a human before acting. StepStitch holds a structure it is blind through and asks a human before acting. Here is the shape StepStitch actually emits — a "footstep." Note what is present, and what is conspicuously absent.
{
"timestamp": "2026-06-02T08:00:00.000Z",
"type": "click", // navigation | click | input | api_error | exception
"route": "/accounts/:id", // templated — never the raw URL
"target": "[data-testid=\"pay\"]", // a stable, structural selector
"label": "[masked]", // text is masked unless explicitly opted in
"metadata": { "status": 500, "method": "POST", "error_type": "TypeError" }
}
And here is Trove's answering gate — the single line that enforces "never guess." A field is fillable only when the source value is exact and the label match is confident. Anything less routes to human review.
// A field auto-fills only when BOTH gates pass: the value is exact (Ok, not an // unverified scan) AND the label match is confident (not a weak guess). public bool IsFillable => SelectedField?.Status == FieldStatus.Ok && _selectionConfident;
Strip both tools to their creed and you get the same four vows, arrived at independently. This convergence is the intellectual core of the paper: it is not a coincidence that two privacy-first tools rhyme. It is that there is essentially one correct posture for software that must be trusted with regulated work, and both tools found it.
Trove matches on field labels and shapes; StepStitch records selectors and routes. Neither needs the values to do its job.
Trove proposes a fill and stops; StepStitch "perceives, scores, compiles, and drafts, but never plans or acts."
A person clicks Submit in Trove; a person approves the pull request in StepStitch. Oversight is structural, not optional.
Trove never opens a socket; StepStitch scrubs before storage and keeps "auth in your stack, not the model."
Once you see the four vows as a shared foundation, the two tools stop looking like neighbors and start looking like two organs of one body. Trove is a hand that fills. StepStitch is an eye that sees structure while blind to content. The paper's proposal is simply to connect the eye to the hand — and to let a mind reason in between, on the one thing that is safe to show it.
Here is the crux. Trove today deliberately refuses artificial intelligence. It uses hand-written deterministic rules to match labels, and it rejected fuzzy matching precisely because a model that sees a value might confidently fill the wrong one. The refusal is correct — given the assumption that letting AI help means letting AI see the data.
StepStitch breaks that assumption. It has already solved, for a different domain, the problem of producing a rich, machine-readable description of a screen that contains no content at all — only structure. Its "x-ray" is exactly the kind of artifact a model can reason over safely, because there is nothing sensitive in it to leak.
So the fusion is this: let StepStitch's blinded x-ray be the only thing the AI ever sees. The model receives the skeleton of a form — its fields, roles, selectors, layout, route — with every value masked. It proposes how the pieces map. That proposal enters Trove not as an action but as a suggestion, landing in the same amber "check & type" review that a weak deterministic guess already lands in. The deterministic gate and the human still decide. The model has helped without ever holding a secret.
The AI sees the shape of the lock and suggests which key fits. It never sees what the box contains, and it never turns the key.
Concretely, this rides on infrastructure StepStitch already exposes: a Model Context Protocol server whose operations are read-only or draft, consumable by "any MCP client — Copilot, OpenAI, Vertex, Bedrock, Claude." The boundary is already drawn in the right place. Below is the proposed bridge — the one new contract — expressed against the two tools' real types.
// The model is handed ONLY a scrubbed structural x-ray of the form. // No value, no page text, no raw URL is ever present in this payload. interface FormXRay { route: string; // "/transfers/:id" (templated) fields: { selector: string; // "[data-testid=payee]" — structural role: string; // "textbox" | "combobox" | ... labelHash: string; // one-way hash of the caption, not the caption value: "[masked]"; // ALWAYS masked — StepStitch's guarantee fragility: number; // 0..1 selector-stability risk (Fragility Radar) }[]; } // The model returns a SUGGESTION CLASS, never a write. interface MappingDraft { selector: string; sourceKey: string; // which copied field it believes maps here confidence: "suggest"; // literally cannot be "fill" — type-enforced reason: string; // human-readable, auditable } // Trove's gate is unchanged. A draft can only ever become amber review: row._selectionConfident = false; // AI drafts are never "confident" // => IsFillable stays false => the human checks & types. Vow 1–4 intact.
The elegance is that nothing in Trove's guarantee has to be re-argued. Its conscience — Status == Ok && _selectionConfident — already treats un-confident input as review-only. The AI simply becomes a very good source of un-confident suggestions on forms Trove was never taught. It widens the funnel of "things worth showing the human," and touches nothing below the gate.
With the eye connected to the hand and a blind model reasoning between them, a set of capabilities opens that neither tool can reach alone — and that directly repair Trove's known weaknesses.
Today Trove abstains on any form outside its vocabulary. Fed a scrubbed x-ray, a model proposes mappings for arbitrary forms — a benefits portal, a claims screen, a vendor onboarding page — that arrive as amber suggestions for the operator to confirm.
The compliance headline: the enterprise gets model-grade form comprehension while the model provably never receives one customer value — because StepStitch masks and scrubs before anything is assembled. "Never leaves the machine" becomes "content never leaves; only the skeleton is reasoned over."
StepStitch already computes a deterministic replayability score (0–1, graded A–F) from structural signals. Repurposed, it tells an operator "this form is a B — expect two fields to need typing" before Trove touches it. A number reviewers can trust, not a vibe.
Trove's learned mappings break when a form's markup changes. StepStitch's Fragility Radar already ranks selectors by durability (a data-testid is stable; an nth-of-type path is brittle). Wire it in, and Trove learns durable anchors, warns when a known form has shifted, and asks to re-learn before it silently misfills.
StepStitch compiles a scrubbed, runnable Playwright reproduction. The same compiler turns a taught Trove form into a portable, versioned, replayable fill recipe — an artifact you can diff, test on every release, and distribute to the fleet, instead of an opaque learned blob.
Trove proves "false-confidence = 0" through its audit; StepStitch attaches a scrub report to every capture. Unify them and every fill and every capture ships with a signed, scrubbed evidence record — the single artifact an InfoSec reviewer actually wants.
Trove reaches native Windows apps and embedded browsers through UI Automation; StepStitch reaches any web app through the DOM. Together they cover the whole surface an operator faces in a day — legacy desktop, modern SPA — under one blindfold.
StepStitch's "capability provider, not orchestrator" pattern is exactly how to expose Trove to an agent: an AI can ask Trove to perceive a form, grade it, and draft a plan — but Trove still never submits, and the human still gates. The safe boundary is copied, not reinvented.
Six of these eight are not new engineering so much as re-pointing a StepStitch component at a Trove problem. That is the tell of a real fit: the parts already have the right shape.
The whole design can be drawn as one rule: the model lives outside the value plane. Content — the real names, numbers, and balances — flows only along the bottom track, on the operator's machine, and never crosses up. Structure — the blinded x-ray — is the only thing that ever rises to where a model can reason.
┌─ THE MODEL PLANE ── (may be cloud; sees structure only) ───────────────┐ AI via MCP ◀── FormXRay (masked) ──┐ proposes MappingDraft │ reasons over skeleton │ │ (class: "suggest") ▼ │ ▼ "payee ← Reissue Payee?" │ amber review only └───────────────────────────────────────┼──────────────┼─────────────────┘ │ scrub & │ never a write │ mask │ ┌─ THE VALUE PLANE ── (the operator's machine; never leaves) ────────────┐ copied document ─▶ StepStitch capture ─▶ x-ray ──┘ │ ▼ real values ───────────────────────▶ Trove fill ─▶ two-gate ─▶ human clicks Submit └────────────────────────────────────────────────────────────────────────┘ Rule of the crossing: UP may carry only [structure, masked] DOWN may carry only [a suggestion, never an action]
This is why the design is conservative rather than reckless. It does not make Trove trust a model. It makes a model useful to Trove under Trove's existing distrust. The safety properties are not weakened and then patched back; they are never weakened at all, because the model is architecturally denied both the data and the trigger.
// StepStitch's core never lets a downstream consumer see raw content. // The SAME discipline governs what an AI may receive in the fusion. TraceSummary = flat_scalars_only(trace) # projection, not the trace FORBIDDEN = { "footsteps", "explanation_raw", "user_id", "request_body", "response_body", "target", "selectors", "raw_url" } # dropped, always assert FORBIDDEN.isdisjoint(TraceSummary.keys()) # enforced, not hoped
A design that only lists its strengths is marketing. The fusion has real hazards, and naming them is part of the argument that it can be built responsibly.
The entire safety case rests on one claim: that the x-ray truly contains no content. A single un-masked label, a value that leaks through a selector, an opt-in unmask left on by accident — and a real datum reaches the model. This must be defended the way Trove defends "false-confidence = 0": by adversarial tests and a scrub report checked on every payload, not by trust. It is the first thing an InfoSec reviewer should try to break.
Rarely, shape itself is content — a route like /oncology/:patient reveals a diagnosis by its path. Route templating helps, but the fusion must treat structural metadata as capable of leaking, and let the strictest deployment profile drop it.
Trove's discipline is a feature. The moment a model proposes mappings, there is pressure to "just auto-fill the high-confidence ones." That pressure must be refused at the type level, as in Figure 3 — a draft that cannot be a fill — or the whole guarantee erodes one convenience at a time.
Trove is .NET on Windows; StepStitch is Python and TypeScript, Apache-2.0. The bridge is real integration work, and the licensing boundary — what may be combined, and how it is distributed to a client — is a question for counsel before it is a question for engineering.
Neither tool has met a broad user base; the combination has met none. This paper describes a credible machine, not a shipped one. The correct next step is a single narrow pilot on one real form, not a platform launch.
Judged alone, Trove is a tool of unusual discipline that has not yet met a real form. StepStitch is a second instance of the same rare instinct, aimed at a different wound. The interesting question is not what each is, but what they become together — and that is easier to run than to assert. The fusion resolves a contradiction the whole industry treats as a law — AI fluency versus data sovereignty — not with a compromise but with a boundary that was already, independently, drawn twice. Here is that boundary, live. Press run. Then try to break it.
The deeper point is that this was never two products. It is one idea — see the structure, stay blind to the substance, propose but never act, keep the data home — that happened to be discovered twice, in two languages, for two jobs. Naming that idea, and building the bridge that lets a model stand safely inside it, is the work. For the audience that has spent a decade being told they must choose between intelligence and integrity, it is also the pitch: you were never actually asked to choose.
Recommended next step
One form. One operator. Trove fills it deterministically as it does today; StepStitch captures its x-ray; a blinded model proposes the two mappings Trove couldn't. Measure whether the suggestions help, and whether the scrub report survives a hostile read. That single loop is the whole thesis, testable in a week.