I was trying to figure something like this out myself a while ago. The best solution I could come up with was a transparent Platform as a Service provider that had an option for the person(s) with access to allow anyone who wants to inspect the slug and application settings (minus any secret tokens) to do so. Essentially, it would be verifiable for any users of the application that the DNS resolves to the servers of the PaaS provider, and then from there they could look up the code deployed to the application, the Procfile, etc.
This would still require placing trust in a centralized entity though, and allow for administrators to manipulate or dump db info without the users knowing.
This would still require placing trust in a centralized entity though, and allow for administrators to manipulate or dump db info without the users knowing.