{"schema":"szl.a11oy.assurance.evidence-pack.envelope.v1","pack":{"schema":"szl.a11oy.assurance.evidence-pack.v1","generated_at":"2026-07-18T12:09:54Z","what":"Single, offline-verifiable auditor evidence pack assembled at REQUEST time from already-live a11oy surfaces. stdlib-only; no fabrication.","assurance_matrix":{"source":"/api/a11oy/v1/assurance/matrix","status":"LIVE","requirement_count":8,"requirements":[{"req_id":"MC-1","requirement":"Model Card","req_detail":"AI systems shall have a model card describing model purpose, training data, performance, and known limitations.","source":"DoDM 5000.101 (DoD AI Acquisition Policy)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-5000-101.pdf","a11oy_artifact":"a11oy model card endpoint: GET /api/a11oy/v1/honest (model id, training data label, performance honesty, limitation disclosures). Served-model id embedded in every signed Khipu receipt.","artifact_url":"/api/a11oy/v1/honest","status":"LIVE","status_detail":"Model card data is live at /api/a11oy/v1/honest. Training data labeled SAMPLE/SIMULATED unless MEASURED — doctrine-enforced. Served-model id is embedded in every signed DSSE receipt.","honest_caveats":"Performance metrics are SAMPLE/ADVISORY. Λ=Conjecture 1 (advisory; NOT a theorem). 8 kernel-proven formulas only; never '183 proven'."},{"req_id":"DC-1","requirement":"Data Card / Honest Data Labels","req_detail":"AI systems shall document data provenance, quality, and representativeness to support risk management and authorization.","source":"DoD AI Cyber RMF Tailoring Guide (CDAO/dodcio.defense.gov)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/AI-Cyber-RMF-Tailoring-Guide.pdf","a11oy_artifact":"a11oy honest data labels: every data reference is tagged LIVE / MEASURED / SAMPLE / MODELED / ROADMAP — no unlabeled assertions. Labels are embedded in signed Khipu receipts and surfaced in the assurance matrix.","artifact_url":"/api/a11oy/v1/assurance/matrix","status":"LIVE","status_detail":"Honest-label schema is enforced in doctrine v11/v12. Every data claim carries a machine-readable status label. Labels are baked into signed receipts.","honest_caveats":"Demo data is SAMPLE/SIMULATED unless explicitly labeled MEASURED. Production measured data requires deployment in a live environment."},{"req_id":"SBOM-1","requirement":"SBOM / Software Bill of Materials","req_detail":"Federal agencies and DoD programs shall produce a Software Bill of Materials for all AI/software systems to support supply-chain risk management.","source":"OMB Memo M-22-18 (Enhancing the Security of the Software Supply Chain)","source_url":"https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf","a11oy_artifact":"SLSA Level 1 attestation: szl_dsse.py and all Python modules are open-source (Apache-2.0), committed to szl-holdings/a11oy with full commit SHAs. SLSA L2 (hermetic build) and L3 (full provenance) are ROADMAP items.","artifact_url":"https://github.com/szl-holdings/a11oy","status":"ROADMAP","status_detail":"L1: Source is public (Apache-2.0) — honest. L2 (attested hermetic build): ROADMAP. L3 (full SLSA provenance): ROADMAP. Full SBOM in CycloneDX/SPDX format: ROADMAP.","honest_caveats":"Honest: L1 only today. L2/L3 are explicit ROADMAP items. No fabricated compliance claim."},{"req_id":"SI7-1","requirement":"Model / Data Integrity Check (SI-7)","req_detail":"NIST SP 800-53 SI-7 (Software, Firmware, and Information Integrity): AI systems shall employ integrity verification tools to detect unauthorized changes to software, firmware, and information.","source":"NIST SP 800-53 Rev 5 — SI-7 (via DoD AI RMF Tailoring Guide)","source_url":"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final","a11oy_artifact":"SHA3-256 hash-chained signed Khipu receipts (F4/F22): every inference decision is hash-chained (prev→digest) and DSSE-signed (ECDSA-P256 over SHA-256). Buyer can re-verify integrity offline with public key + WebCrypto. F4 (Khipu chain determinism) and F22 (monotone sequence) are kernel-proven @ c7c0ba17.","artifact_url":"/api/a11oy/v1/govern/infer","status":"LIVE","status_detail":"Hash-chain: LIVE — every receipt carries prev_digest + digest (SHA-256). DSSE signing: LIVE when SZL_COSIGN_PRIVATE_KEY_PEM secret is present. Buyer-verifiable: LIVE via /verify page (WebCrypto, zero server round-trip for verify). F4 + F22 kernel-proven @ c7c0ba17.","honest_caveats":"Hash function is SHA-256 (via Python 'hashlib'), not SHA3-256 in the current receipt chain. DSSE uses ECDSA-P256-SHA256. Offline verify: WebCrypto in browser or cosign verify-blob CLI."},{"req_id":"TEVV-1","requirement":"TEVV Results in Security Authorization Package","req_detail":"Test, Evaluation, Verification, and Validation (TEVV) results shall be documented and included in the AI system's security authorization package, providing auditable evidence of system behavior.","source":"CDAO AI Assurance Framework / DoDI 5000.89 (T&E for AI)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/AI-Assurance.pdf","a11oy_artifact":"Signed DSSE receipt per governed decision: every allow/review/deny verdict produces a cryptographically-signed Khipu receipt (szl_dsse.sign_khipu_receipt). The receipt encodes: decision, Λ score (advisory), gates fired/passed, chain hash, timestamp — a machine-verifiable TEVV artifact per inference call.","artifact_url":"/verify","status":"LIVE","status_detail":"Signed receipt per decision: LIVE. Each receipt is DSSE-signed and hash-chained. Buyer can paste the receipt into /verify and get WebCrypto VERIFIED result. Λ advisory score included in receipt (Conjecture 1 label).","honest_caveats":"TEVV in a11oy covers governed-inference decisions. Full model-level T&E (accuracy, adversarial robustness benchmarks) requires additional tooling: ROADMAP. Λ is Conjecture 1 (advisory; NOT a theorem)."},{"req_id":"RA-1","requirement":"Runtime Assurance / Continuous Monitoring","req_detail":"AI systems in operational use shall have runtime monitoring to detect anomalous behavior, performance drift, and policy violations.","source":"CDAO AI Assurance Framework / NIST AI RMF 1.0 (GOVERN + MONITOR)","source_url":"https://airc.nist.gov/RMF_Overview","a11oy_artifact":"Λ-gate per call (advisory, Conjecture 1): every inference call passes through the Λ gate (floor 0.90 advisory). Gates: threat-signature-scan, pii-egress-guard. OTel-GenAI spans for runtime observability: partial (ROADMAP for full OTel). Signed refusal receipts for every denied call — continuous audit trail.","artifact_url":"/api/a11oy/v1/gates","status":"LIVE","status_detail":"Λ gate per call: LIVE (advisory floor, Conjecture 1). Threat/PII gates: LIVE. Signed denial receipts: LIVE. Full OTel-GenAI span export: ROADMAP.","honest_caveats":"Λ = Conjecture 1 (advisory; NOT a theorem). Gate coverage is advisory, not a certified classifier. Full OTel instrumentation is ROADMAP. Never claim 100% detection coverage."},{"req_id":"IV-1","requirement":"Independent Verifiability","req_detail":"Governance artifacts (receipts, audit logs) shall be independently verifiable by an auditor or buyer without relying solely on the provider's assertion.","source":"CDAO AI Assurance Framework / DoD AI Ethical Principles (Traceable)","source_url":"https://dodcio.defense.gov/Portals/0/Documents/Library/AI-Principles-Recommendations-Final.pdf","a11oy_artifact":"Buyer re-verifies signature offline via WebCrypto (/verify page) or cosign verify-blob CLI. Public key at /cosign.pub (also: github.com/szl-holdings/.github/cosign.pub). No server round-trip required for verification — the math is the receipt.","artifact_url":"/verify","status":"LIVE","status_detail":"WebCrypto verify: LIVE — buyer pastes DSSE envelope, browser verifies ECDSA-P256. cosign verify-blob CLI: LIVE — byte-for-byte equivalent (proven round-trip). Public key is published and never rotated without notice. UNIQUE vs Foundry/Unity Catalog: lineage is viewable but NOT cryptographically buyer-verifiable. a11oy gives you a signature you can verify offline.","honest_caveats":"Independent verifiability applies to signed receipts only. Unsigned receipts (when private key is absent from runtime) carry an explicit UNSIGNED label — no fabricated signature ever. The hash chain is still valid and verifiable even without the ECDSA signature."},{"req_id":"ATO-1","requirement":"ATO / IL5 / FedRAMP-High Accreditation","req_detail":"AI systems handling sensitive DoD data require an Authority to Operate (ATO), IL5 (Impact Level 5) cloud authorization, and/or FedRAMP-High equivalent security authorization.","source":"DoD CC SRG / FedRAMP / DISA IL5 Cloud Computing SRG","source_url":"https://public.cyber.mil/dccs/","a11oy_artifact":"a11oy is NOT accredited. No ATO, no IL5, no FedRAMP-High authorization exists. Pursuing ATO/FedRAMP-High is a ROADMAP item contingent on a DoD program sponsor.","artifact_url":null,"status":"ROADMAP","status_detail":"ATO: NOT obtained — ROADMAP. IL5: NOT obtained — ROADMAP. FedRAMP-High: NOT obtained — ROADMAP. This is stated plainly. The honesty IS the sell to an auditor audience.","honest_caveats":"Any claim of ATO/IL5/FedRAMP would be false. a11oy is a governance overlay that can be DEPLOYED within an accredited environment (e.g., Advana/WDP) and contribute to the evidence package — but a11oy itself is not accredited. Do NOT misrepresent this."}],"honest_note":"Status: LIVE=operational; MEASURED=real data; SAMPLE=demo; MODELED=model-derived; ROADMAP=planned. ATO/IL5/FedRAMP=ROADMAP."},"khipu_organs":{"ok":true,"service":"khipu.organs","what":"every organ with a live Khipu DAG; head digest + depth + re-walked links_intact (integrity recomputed, never asserted)","organ_count":6,"organs":[{"organ":"governance-gateway","ns":"a11oy","registry_key":"a11oy/governance-gateway","head_digest":"0000000000000000000000000000000000000000000000000000000000000000","depth":0,"links_intact":true,"broken_at":null,"genesis_prev":"0000000000000000000000000000000000000000000000000000000000000000"},{"organ":"immune","ns":"a11oy","registry_key":"a11oy/immune","head_digest":"4458ecc9b6697bcb53cd0fc1a46d3fd09be2b95e3f71cd391a17c5ced1016289","depth":3,"links_intact":true,"broken_at":null,"genesis_prev":"0000000000000000000000000000000000000000000000000000000000000000"},{"organ":"pinn","ns":"a11oy","registry_key":"a11oy/pinn","head_digest":"794c0b9c450c4af843f65b2e60bae4bcf821b71a8b636de87b2d720c33cbe465","depth":2,"links_intact":true,"broken_at":null,"genesis_prev":"0000000000000000000000000000000000000000000000000000000000000000"},{"organ":"provenance","ns":"a11oy","registry_key":"a11oy/provenance","head_digest":"7420117dd5a71a98bb358b16ece08d4940215c219054390f90f0d5b239cd2c84","depth":2,"links_intact":true,"broken_at":null,"genesis_prev":"0000000000000000000000000000000000000000000000000000000000000000"},{"organ":"provenance-anchor","ns":"a11oy","registry_key":"a11oy/provenance-anchor","head_digest":"0000000000000000000000000000000000000000000000000000000000000000","depth":0,"links_intact":true,"broken_at":null,"genesis_prev":"0000000000000000000000000000000000000000000000000000000000000000"},{"organ":"wallpa","ns":"a11oy","registry_key":"a11oy/wallpa","head_digest":"0000000000000000000000000000000000000000000000000000000000000000","depth":0,"links_intact":true,"broken_at":null,"genesis_prev":"0000000000000000000000000000000000000000000000000000000000000000"}],"doctrine":{"khipu_integrity":"REAL — hash-chain integrity is independently recomputable here","khipu_kind":"Conjecture 2 (chain INTEGRITY real; BFT/consensus is the conjecture)","lambda":"Conjecture 1 (NOT a theorem)","locked_proven":8,"locked_proven_kernel":"c7c0ba17","locked_proven_note":"this verifier adds NOTHING to the locked-8","digest_matches":"COMPUTED (SHA3-256 recompute), never asserted","chain_to_genesis_verified":"COMPUTED (re-walk prev-links to genesis), never asserted","signature_status":"DSSE_PLACEHOLDER (cosign founder-gated; signature NEVER faked)","trust_ceiling":"never 100%","runtime_cdn":0,"fabricated_data":false},"ts":"2026-07-18T12:09:54Z"},"lake_health":{"ok":true,"store":"/app/khipu","chain_alg":"sha3_256","schema":"szl.lake.receipt/v1","total_receipts":177,"organs":{"a11oy":{"count":22,"chain_index":22,"chain_head":"b8339d4e621d05d4ad4aab28d8bff884c213d09be748a5d47a16e4383b968e7c"},"a11oy-kernel":{"count":1,"chain_index":1,"chain_head":"d0361e9f2c8d8ac96a1cdab46a6f45de3ed697a9e767d7ccccce2d69b60ae73c"},"a11oy-materials":{"count":8,"chain_index":8,"chain_head":"2e81e0d7f21c8d2f1f3695826d718f5a7cd6cf1bd01358197d936c586183f365"},"a11oy-pinn":{"count":96,"chain_index":96,"chain_head":"e5c70ed5924d7fca96069cc03f0fb9ed0773d480247621bcdbb45583902ac509"},"vertical-general":{"count":50,"chain_index":50,"chain_head":"e49bea8bee469fd79bbc1afd6a12ba63ec03106da1f5b6b2e5b756f1473dacd5"}}},"doctrine":{"version":"v11 LOCKED","locked_proven":8,"locked_theorems":["F1","F4","F7","F11","F12","F18","F19","F22"],"locked_count_ci_gate":"locked_count_eight (no-axiom theorem)","kernel_commit":"c7c0ba17","lambda":"Conjecture 1 (advisory; Λ-uniqueness is NOT a theorem)","khipu_bft":"Conjecture 2 (chain INTEGRITY is real and recomputed via sha3_256 re-walk; BFT/consensus safety across replicas is the OPEN conjecture, NOT proven)","liveness":"Conjecture 3 (advisory; agentic-loop liveness is NOT a closed theorem)","slsa":"L1 honest · L2 roadmap · L3 roadmap","accreditation":{"ato":"NOT obtained — ROADMAP","il5":"NOT obtained — ROADMAP","fedramp_high":"NOT obtained — ROADMAP"},"honest_note":"a11oy is the governance OVERLAY — NOT accredited. Chain integrity is COMPUTED (sha3_256 re-walk), never asserted. 8 locked-proven only; Λ/Khipu/liveness are conjectures, never theorems. No datum is fabricated."},"cosign_public_key":{"key_id":"demo-signing-key","key_kind":"demo","verify_key_url":"/demo-cosign.pub","sha256_fingerprint":"a722b29c157c24cc1365bf6db070384d025bed838e4eb35343f08ec5e4da01e0","demo_signing_available":false,"note":"signed with demo-signing-key — NOT the production founder-gated cosign key. The production founder-gated cosign key is NEVER placed in this runtime; this fingerprint is the DEMO public key."},"honest_disclosure":"a11oy is the governance overlay, NOT accredited (ATO/IL5/FedRAMP are ROADMAP). Chain integrity is COMPUTED (sha3_256 re-walk), never asserted. Khipu BFT is Conjecture 2 (NOT proven). 8 locked-proven only. No datum here is fabricated."},"pack_sha3_256":"229ae9a04a003d774c2c9dc82854b5993ad451aad95cdc8af4c93a2376c489b6","digest_alg":"sha3_256","digest_canonicalization":"json.dumps(pack, sort_keys=True, separators=(',',':'), ensure_ascii=False).encode('utf-8') then hashlib.sha3_256(...).hexdigest()","offline_verify":"Recompute: take the 'pack' object verbatim, canonicalise per digest_canonicalization, sha3_256 it, and confirm it equals pack_sha3_256. Zero server round-trip required.","signature":{"signed":false,"status":"DSSE_PLACEHOLDER","note":"no demo signing key in runtime (SZL_DEMO_SIGN_KEY absent) — honest-unsigned. The sha3_256 self-digest is independently recomputable offline; NEVER a fabricated signature."},"generated_at":"2026-07-18T12:09:54Z"}