@attestplane/attestplane 0.0.1 → 0.0.4-alpha

package/dist/index.js

@@ -3,13 +3,35 @@
 /**
  * Attestplane — verifiable audit substrate for AI agents.
  *
- * EU AI Act Article 12 ready. Apache-2.0 licensed.
+ * Designed toward EU AI Act Article 12 auditability. Apache-2.0 licensed.
  * See https://github.com/attestplane/attestplane and
  * docs/adr/0002-substrate-data-model-and-hash-chain-v0.md for the design.
  */
+export { AdapterError, AdapterTranslationError, GenericRuntimeAdapter, } from './adapters.js';
+export { AdapterConformanceError, replayFixture, } from './adapter_conformance.js';
+export { LangSmithAdapter, } from './adapters/langsmith.js';
+export { LangFuseAdapter, } from './adapters/langfuse.js';
+export { ANCHOR_SCHEMA_VERSION, AnchorError, AnchorVerificationError, DEFAULT_ANCHOR_POLICY, MockTSAProvider, MultiTSAProvider, TSAProvider, TSAUnavailableError, makeAnchorPolicy, makeTimestampRequest, validateAnchorRecord, verifyChainWithAnchors, } from './anchoring.js';
+export { parseTimestampResponse, verifyTimestampToken, } from './rfc3161.js';
 export { CanonicalizationError, canonicalize } from './canonical.js';
+export { CanonicalTextError, canonicalizeText, textHash, textHashHex, } from './canonical_text.js';
+export { FORBIDDEN_PAYLOAD_FIELDS, PayloadValidationError, validateLeaseLifecycleEventPayload, validatePolicyCheckEventPayload, validateReplayEventPayload, } from './event_payloads.js';
+export { verifyReplayManifest, } from './replay_verifier.js';
+export { checkSettlementPrecondition, } from './settlement_verifier.js';
+export { ALL_REASON_CODES_V1, REASON_CODE_DESCRIPTIONS, REASON_CODE_SCHEMA_VERSION, isKnownReasonCode, reasonCodeMatchesFormat, } from './reason_codes.js';
+export { ALL_EVENT_TYPES_V1, BUDGET_EVENT, EVAL_EVENT, EVIDENCE_TAXONOMY_VERSION, GATEWAY_DECISION_EVENT, HUMAN_APPROVAL_EVENT, LEASE_LIFECYCLE_EVENT, POLICY_CHECK_EVENT, ROUTING_EVENT, RUNTIME_LIFECYCLE_EVENT, SETTLEMENT_EVENT, STATE_TRANSITION_EVENT, TOOL_CALL_EVENT, WORKER_ASSIGNMENT_EVENT, isKnownV1EventType, } from './event_types.js';
 export { GENESIS_HASH, SCHEMA_VERSION, chainExtend, genesisHead, hashEvent, headOf, verifyChain, } from './hashchain.js';
 export { AttestSubstrate } from './substrate.js';
 export { makeEventDraft, makeSubjectRef, } from './types.js';
-export const VERSION = '0.0.1';
+export { DEFAULT_FORBIDDEN_FIELDS, ProofBundleBuilder, buildAuditorExport, deserializeSignatureRecord, serializeChainedEvent, serializeSignatureRecord, } from './proof_bundle.js';
+export { DSSE_PAYLOAD_TYPE, IntotoError, PREDICATE_TYPE_V1, STATEMENT_TYPE, canonicalJsonBytes, dsseEnvelopeToStatement, proofBundleToInTotoStatement, statementToDsseEnvelope, } from './intoto.js';
+export { ObligationRegistryError, loadAllRegistries, loadDoraArticle8, loadEuAiActArticle12, obligationById, obligationsByEventType, obligationsByImplementationStatus, } from './obligations.js';
+export { BundleSchemaError, BundleVerificationError, shortSummary, verifyProofBundle, verifyProofBundleFile, } from './verifier.js';
+// ADR-0005 event-signing surface (T6).
+export { KeyBoundaryError, KeyProvider, KeyProviderError, SIGNATURE_SCHEMA_VERSION, SignatureVerificationError, SigningError, DEFAULT_SIGNATURE_POLICY, deriveKeyId, makeSignaturePolicy, validateSignatureRecord, } from './signing/base.js';
+export { EnvKeyProvider, FileKeyProvider, InMemoryKeyProvider, MultiSignerProvider, exportPublicKeyDer, seedToPrivateKey, } from './signing/providers.js';
+export { Signer, buildPerEventPayload, buildSegmentHeadPayload, } from './signing/signer.js';
+export { TrustRoots, TrustRootsError, loadTrustRoots, parseTrustRoots, } from './signing/trust_roots.js';
+export { STATUS_RANK, verifyChainFull, verifyChainWithSignatures, } from './signing/verifier_ext.js';
+export { VERSION } from './index_version.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EACL,YAAY,EACZ,cAAc,EACd,WAAW,EACX,WAAW,EACX,SAAS,EACT,MAAM,EACN,WAAW,GAGZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,eAAe,EAAsB,MAAM,gBAAgB,CAAC;AACrE,OAAO,EACL,cAAc,EACd,cAAc,GAQf,MAAM,YAAY,CAAC;AAEpB,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;GAMG;AAEH,OAAO,EACL,YAAY,EACZ,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,uBAAuB,EACvB,aAAa,GAKd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,gBAAgB,GAEjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,GAEhB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,qBAAqB,EACrB,WAAW,EACX,uBAAuB,EACvB,qBAAqB,EACrB,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,GAWvB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,sBAAsB,EACtB,oBAAoB,GAGrB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,qBAAqB,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,QAAQ,EACR,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,kCAAkC,EAClC,+BAA+B,EAC/B,0BAA0B,GAO3B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,oBAAoB,GAKrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,2BAA2B,GAI5B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,iBAAiB,EACjB,uBAAuB,GAExB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,UAAU,EACV,yBAAyB,EACzB,sBAAsB,EACtB,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,gBAAgB,EAChB,sBAAsB,EACtB,eAAe,EACf,uBAAuB,EACvB,kBAAkB,GAEnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,YAAY,EACZ,cAAc,EACd,WAAW,EACX,WAAW,EACX,SAAS,EACT,MAAM,EACN,WAAW,GAGZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,eAAe,EAAsB,MAAM,gBAAgB,CAAC;AACrE,OAAO,EACL,cAAc,EACd,cAAc,GAQf,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,wBAAwB,EACxB,kBAAkB,EAClB,kBAAkB,EAClB,0BAA0B,EAC1B,qBAAqB,EACrB,wBAAwB,GAWzB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,iBAAiB,EACjB,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,kBAAkB,EAClB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,GAKxB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,cAAc,EACd,sBAAsB,EACtB,iCAAiC,GAIlC,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,YAAY,EACZ,iBAAiB,EACjB,qBAAqB,GAEtB,MAAM,eAAe,CAAC;AAEvB,uCAAuC;AACvC,OAAO,EACL,gBAAgB,EAChB,WAAW,EACX,gBAAgB,EAChB,wBAAwB,EACxB,0BAA0B,EAC1B,YAAY,EACZ,wBAAwB,EACxB,WAAW,EACX,mBAAmB,EACnB,uBAAuB,GAKxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,cAAc,EACd,eAAe,EACf,mBAAmB,EACnB,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,GAIjB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,MAAM,EACN,oBAAoB,EACpB,uBAAuB,GAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,UAAU,EACV,eAAe,EACf,cAAc,EACd,eAAe,GAEhB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,WAAW,EACX,eAAe,EACf,yBAAyB,GAO1B,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/index_version.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Single source of truth for the package's version string.
+ *
+ * Isolated in its own module so other modules can read it without
+ * importing from `./index.ts`, which would create a circular import
+ * (index.ts re-exports symbols from those same modules).
+ */
+export declare const VERSION = "0.0.4-alpha";
+//# sourceMappingURL=index_version.d.ts.map

package/dist/index_version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index_version.d.ts","sourceRoot":"","sources":["../src/index_version.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AAEH,eAAO,MAAM,OAAO,gBAAgB,CAAC"}

package/dist/index_version.js

@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2026 The Attestplane Authors
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Single source of truth for the package's version string.
+ *
+ * Isolated in its own module so other modules can read it without
+ * importing from `./index.ts`, which would create a circular import
+ * (index.ts re-exports symbols from those same modules).
+ */
+export const VERSION = '0.0.4-alpha';
+//# sourceMappingURL=index_version.js.map

package/dist/index_version.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index_version.js","sourceRoot":"","sources":["../src/index_version.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;GAMG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,aAAa,CAAC"}

package/dist/intoto.d.ts

@@ -0,0 +1,48 @@
+/**
+ * in-toto Statement v1 + DSSE shape helpers for Attestplane evidence.
+ *
+ * These helpers only build and parse deterministic statement/envelope shapes.
+ * They do not sign, verify signatures, manage keys, submit transparency-log
+ * entries, or implement a complete SLSA provenance pipeline.
+ */
+import type { ProofBundle } from './proof_bundle.js';
+export declare const PREDICATE_TYPE_V1: "https://attestplane.io/v1/agent-runtime-event";
+export declare const DSSE_PAYLOAD_TYPE: "application/vnd.in-toto+json";
+export declare const STATEMENT_TYPE: "https://in-toto.io/Statement/v1";
+export declare class IntotoError extends Error {
+    constructor(message: string);
+}
+export interface IntotoSubject {
+    readonly name: string;
+    readonly digest: {
+        readonly sha256: string;
+    };
+}
+export interface IntotoStatement {
+    readonly _type: typeof STATEMENT_TYPE;
+    readonly subject: readonly IntotoSubject[];
+    readonly predicateType: typeof PREDICATE_TYPE_V1;
+    readonly predicate: {
+        readonly chain_metadata: ProofBundle['chain_metadata'];
+        readonly events: ProofBundle['events'];
+        readonly verification_report: ProofBundle['verification_report'];
+        readonly framework_mappings: ProofBundle['framework_mappings'];
+        readonly forbidden_fields: ProofBundle['forbidden_fields'];
+    };
+}
+export interface DsseSignature {
+    readonly keyid: string;
+    readonly sig: string;
+}
+export interface DsseEnvelope {
+    readonly payloadType: typeof DSSE_PAYLOAD_TYPE;
+    readonly payload: string;
+    readonly signatures: readonly DsseSignature[];
+}
+export declare function proofBundleToInTotoStatement(bundle: ProofBundle): IntotoStatement;
+export declare function canonicalJsonBytes(value: unknown): Uint8Array;
+export declare function statementToDsseEnvelope(statement: IntotoStatement, options?: {
+    readonly signatures?: readonly DsseSignature[];
+}): DsseEnvelope;
+export declare function dsseEnvelopeToStatement(envelope: DsseEnvelope): IntotoStatement;
+//# sourceMappingURL=intoto.d.ts.map

package/dist/intoto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"intoto.d.ts","sourceRoot":"","sources":["../src/intoto.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,eAAO,MAAM,iBAAiB,EAAG,+CAAwD,CAAC;AAC1F,eAAO,MAAM,iBAAiB,EAAG,8BAAuC,CAAC;AACzE,eAAO,MAAM,cAAc,EAAG,iCAA0C,CAAC;AAEzE,qBAAa,WAAY,SAAQ,KAAK;gBACxB,OAAO,EAAE,MAAM;CAI5B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE;QACf,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;KACzB,CAAC;CACH;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,KAAK,EAAE,OAAO,cAAc,CAAC;IACtC,QAAQ,CAAC,OAAO,EAAE,SAAS,aAAa,EAAE,CAAC;IAC3C,QAAQ,CAAC,aAAa,EAAE,OAAO,iBAAiB,CAAC;IACjD,QAAQ,CAAC,SAAS,EAAE;QAClB,QAAQ,CAAC,cAAc,EAAE,WAAW,CAAC,gBAAgB,CAAC,CAAC;QACvD,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QACvC,QAAQ,CAAC,mBAAmB,EAAE,WAAW,CAAC,qBAAqB,CAAC,CAAC;QACjE,QAAQ,CAAC,kBAAkB,EAAE,WAAW,CAAC,oBAAoB,CAAC,CAAC;QAC/D,QAAQ,CAAC,gBAAgB,EAAE,WAAW,CAAC,kBAAkB,CAAC,CAAC;KAC5D,CAAC;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,WAAW,EAAE,OAAO,iBAAiB,CAAC;IAC/C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,EAAE,SAAS,aAAa,EAAE,CAAC;CAC/C;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,WAAW,GAAG,eAAe,CA8BjF;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU,CAM7D;AAcD,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,eAAe,EAC1B,OAAO,GAAE;IAAE,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,aAAa,EAAE,CAAA;CAAO,GAC/D,YAAY,CAMd;AAED,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,YAAY,GAAG,eAAe,CA+B/E"}

package/dist/intoto.js

@@ -0,0 +1,106 @@
+// SPDX-FileCopyrightText: 2026 The Attestplane Authors
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * in-toto Statement v1 + DSSE shape helpers for Attestplane evidence.
+ *
+ * These helpers only build and parse deterministic statement/envelope shapes.
+ * They do not sign, verify signatures, manage keys, submit transparency-log
+ * entries, or implement a complete SLSA provenance pipeline.
+ */
+export const PREDICATE_TYPE_V1 = 'https://attestplane.io/v1/agent-runtime-event';
+export const DSSE_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
+export const STATEMENT_TYPE = 'https://in-toto.io/Statement/v1';
+export class IntotoError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'IntotoError';
+    }
+}
+export function proofBundleToInTotoStatement(bundle) {
+    if (bundle === null || typeof bundle !== 'object') {
+        throw new IntotoError('bundle must be an object');
+    }
+    const chainMetadata = bundle.chain_metadata;
+    if (chainMetadata === null ||
+        typeof chainMetadata !== 'object' ||
+        !chainMetadata.chain_id ||
+        !chainMetadata.head_hash_hex) {
+        throw new IntotoError('bundle.chain_metadata must include chain_id and head_hash_hex');
+    }
+    return {
+        _type: STATEMENT_TYPE,
+        subject: [
+            {
+                name: chainMetadata.chain_id,
+                digest: { sha256: chainMetadata.head_hash_hex },
+            },
+        ],
+        predicateType: PREDICATE_TYPE_V1,
+        predicate: {
+            chain_metadata: chainMetadata,
+            events: bundle.events,
+            verification_report: bundle.verification_report,
+            framework_mappings: bundle.framework_mappings,
+            forbidden_fields: bundle.forbidden_fields,
+        },
+    };
+}
+export function canonicalJsonBytes(value) {
+    const encoded = JSON.stringify(sortJsonValue(value));
+    if (encoded === undefined) {
+        throw new IntotoError('value is not JSON serializable');
+    }
+    return new TextEncoder().encode(encoded);
+}
+function sortJsonValue(value) {
+    if (Array.isArray(value))
+        return value.map((item) => sortJsonValue(item));
+    if (value !== null && typeof value === 'object') {
+        const out = {};
+        for (const key of Object.keys(value).sort()) {
+            out[key] = sortJsonValue(value[key]);
+        }
+        return out;
+    }
+    return value;
+}
+export function statementToDsseEnvelope(statement, options = {}) {
+    return {
+        payloadType: DSSE_PAYLOAD_TYPE,
+        payload: Buffer.from(canonicalJsonBytes(statement)).toString('base64'),
+        signatures: options.signatures ?? [],
+    };
+}
+export function dsseEnvelopeToStatement(envelope) {
+    if (envelope === null || typeof envelope !== 'object') {
+        throw new IntotoError('envelope must be an object');
+    }
+    if (envelope.payloadType !== DSSE_PAYLOAD_TYPE) {
+        throw new IntotoError(`unexpected payloadType: ${JSON.stringify(envelope.payloadType)}; expected ${JSON.stringify(DSSE_PAYLOAD_TYPE)}`);
+    }
+    if (typeof envelope.payload !== 'string') {
+        throw new IntotoError('envelope.payload must be a base64 string');
+    }
+    if (!/^[A-Za-z0-9+/]*={0,2}$/.test(envelope.payload) || envelope.payload.length % 4 !== 0) {
+        throw new IntotoError('failed to base64-decode payload: invalid base64');
+    }
+    let decoded;
+    try {
+        decoded = Buffer.from(envelope.payload, 'base64').toString('utf-8');
+    }
+    catch (exc) {
+        throw new IntotoError(`failed to base64-decode payload: ${String(exc)}`);
+    }
+    let statement;
+    try {
+        statement = JSON.parse(decoded);
+    }
+    catch (exc) {
+        throw new IntotoError(`payload is not valid JSON: ${String(exc)}`);
+    }
+    if (statement === null || typeof statement !== 'object' || Array.isArray(statement)) {
+        throw new IntotoError('payload JSON must be an object');
+    }
+    return statement;
+}
+//# sourceMappingURL=intoto.js.map

package/dist/intoto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"intoto.js","sourceRoot":"","sources":["../src/intoto.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;GAMG;AAIH,MAAM,CAAC,MAAM,iBAAiB,GAAG,+CAAwD,CAAC;AAC1F,MAAM,CAAC,MAAM,iBAAiB,GAAG,8BAAuC,CAAC;AACzE,MAAM,CAAC,MAAM,cAAc,GAAG,iCAA0C,CAAC;AAEzE,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AAiCD,MAAM,UAAU,4BAA4B,CAAC,MAAmB;IAC9D,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAClD,MAAM,IAAI,WAAW,CAAC,0BAA0B,CAAC,CAAC;IACpD,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,CAAC,cAAc,CAAC;IAC5C,IACE,aAAa,KAAK,IAAI;QACtB,OAAO,aAAa,KAAK,QAAQ;QACjC,CAAC,aAAa,CAAC,QAAQ;QACvB,CAAC,aAAa,CAAC,aAAa,EAC5B,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,+DAA+D,CAAC,CAAC;IACzF,CAAC;IACD,OAAO;QACL,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,aAAa,CAAC,QAAQ;gBAC5B,MAAM,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC,aAAa,EAAE;aAChD;SACF;QACD,aAAa,EAAE,iBAAiB;QAChC,SAAS,EAAE;YACT,cAAc,EAAE,aAAa;YAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;YAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;YAC7C,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;SAC1C;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IACrD,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,WAAW,CAAC,gCAAgC,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1E,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YAC5C,GAAG,CAAC,GAAG,CAAC,GAAG,aAAa,CAAE,KAAiC,CAAC,GAAG,CAAC,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,SAA0B,EAC1B,UAA8D,EAAE;IAEhE,OAAO;QACL,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtE,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,EAAE;KACrC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,QAAsB;IAC5D,IAAI,QAAQ,KAAK,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACtD,MAAM,IAAI,WAAW,CAAC,4BAA4B,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,QAAQ,CAAC,WAAW,KAAK,iBAAiB,EAAE,CAAC;QAC/C,MAAM,IAAI,WAAW,CACnB,2BAA2B,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,cAAc,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC,EAAE,CACjH,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzC,MAAM,IAAI,WAAW,CAAC,0CAA0C,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1F,MAAM,IAAI,WAAW,CAAC,iDAAiD,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACtE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,oCAAoC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,SAAkB,CAAC;IACvB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CAAC,8BAA8B,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,SAAS,KAAK,IAAI,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACpF,MAAM,IAAI,WAAW,CAAC,gCAAgC,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,SAA4B,CAAC;AACtC,CAAC"}

package/dist/obligations.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Static obligation registry mappings.
+ *
+ * These mappings are informational evidence-schema mappings only. They are
+ * not legal advice, not compliance certification, and not a runtime policy
+ * engine. They mirror the Python static registries for EU AI Act Article 12
+ * and DORA Article 8.
+ */
+export type ImplementationStatus = 'mapping_target' | 'designed_toward' | 'field_supported' | 'verified_in_test';
+export interface ObligationEntry {
+    readonly framework: string;
+    readonly article: string;
+    readonly paragraph: string;
+    readonly obligation_id: string;
+    readonly regulatory_text: string;
+    readonly required_evidence_fields: readonly string[];
+    readonly optional_evidence_fields: readonly string[];
+    readonly event_type_mapping: readonly string[];
+    readonly verifier_expectation: string;
+    readonly implementation_status: ImplementationStatus;
+    readonly legal_disclaimer: string;
+    readonly source_citation: string;
+    readonly notes?: string;
+}
+export interface Registry {
+    readonly framework: string;
+    readonly framework_source: string;
+    readonly registry_version: number;
+    readonly last_reviewed: string;
+    readonly entries: readonly ObligationEntry[];
+}
+export declare class ObligationRegistryError extends Error {
+    constructor(message: string);
+}
+export declare function loadEuAiActArticle12(): Registry;
+export declare function loadDoraArticle8(): Registry;
+export declare function loadAllRegistries(): readonly Registry[];
+export declare function obligationById(registry: Registry, obligationId: string): ObligationEntry | undefined;
+export declare function obligationsByEventType(registry: Registry, eventType: string): readonly ObligationEntry[];
+export declare function obligationsByImplementationStatus(registry: Registry, status: ImplementationStatus): readonly ObligationEntry[];
+//# sourceMappingURL=obligations.d.ts.map

package/dist/obligations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"obligations.d.ts","sourceRoot":"","sources":["../src/obligations.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AAEH,MAAM,MAAM,oBAAoB,GAC5B,gBAAgB,GAChB,iBAAiB,GACjB,iBAAiB,GACjB,kBAAkB,CAAC;AAEvB,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,wBAAwB,EAAE,SAAS,MAAM,EAAE,CAAC;IACrD,QAAQ,CAAC,wBAAwB,EAAE,SAAS,MAAM,EAAE,CAAC;IACrD,QAAQ,CAAC,kBAAkB,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/C,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,qBAAqB,EAAE,oBAAoB,CAAC;IACrD,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,OAAO,EAAE,SAAS,eAAe,EAAE,CAAC;CAC9C;AAED,qBAAa,uBAAwB,SAAQ,KAAK;gBACpC,OAAO,EAAE,MAAM;CAI5B;AA+UD,wBAAgB,oBAAoB,IAAI,QAAQ,CAE/C;AAED,wBAAgB,gBAAgB,IAAI,QAAQ,CAE3C;AAED,wBAAgB,iBAAiB,IAAI,SAAS,QAAQ,EAAE,CAEvD;AAED,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,QAAQ,EAClB,YAAY,EAAE,MAAM,GACnB,eAAe,GAAG,SAAS,CAE7B;AAED,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,QAAQ,EAClB,SAAS,EAAE,MAAM,GAChB,SAAS,eAAe,EAAE,CAI5B;AAED,wBAAgB,iCAAiC,CAC/C,QAAQ,EAAE,QAAQ,EAClB,MAAM,EAAE,oBAAoB,GAC3B,SAAS,eAAe,EAAE,CAE5B"}

package/dist/obligations.js

@@ -0,0 +1,312 @@
+// SPDX-FileCopyrightText: 2026 The Attestplane Authors
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Static obligation registry mappings.
+ *
+ * These mappings are informational evidence-schema mappings only. They are
+ * not legal advice, not compliance certification, and not a runtime policy
+ * engine. They mirror the Python static registries for EU AI Act Article 12
+ * and DORA Article 8.
+ */
+export class ObligationRegistryError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ObligationRegistryError';
+    }
+}
+const REGISTRIES = [
+    {
+        framework: 'EU AI Act',
+        framework_source: 'Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), OJ L, 2024/1689, 12.7.2024',
+        registry_version: 1,
+        last_reviewed: '2026-05-17',
+        entries: [
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '1',
+                obligation_id: 'eu_ai_act.art12.1.automatic_recording',
+                regulatory_text: "High-risk AI systems shall technically allow for the automatic recording of events ('logs') over the lifetime of the system.",
+                required_evidence_fields: [],
+                optional_evidence_fields: [],
+                event_type_mapping: [
+                    'tool_call_event',
+                    'policy_check_event',
+                    'human_approval_event',
+                    'lease_lifecycle_event',
+                    'budget_event',
+                    'settlement_event',
+                    'worker_assignment_event',
+                    'runtime_lifecycle_event',
+                    'gateway_decision_event',
+                    'state_transition_event',
+                    'eval_event',
+                    'routing_event',
+                ],
+                verifier_expectation: "The chain contains at least one event of any v1 type; the substrate's append-only invariant is documented in ADR-0002 and enforced by canonical-JSON byte determinism plus the hash chain.",
+                implementation_status: 'designed_toward',
+                legal_disclaimer: "Mapping target only. Attestplane's append-only hash chain provides one technical component supporting an Article 12(1) implementation; it does not on its own discharge the obligation, which also requires runtime emission of events, retention against the system's lifetime, and the system being a 'high-risk AI system' as defined in Article 6.",
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(1).',
+                notes: "Implementation_status remains 'designed_toward' until M6 retention-policy ADR ships.",
+            },
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '2(a)',
+                obligation_id: 'eu_ai_act.art12.2a.identifying_risk_situations',
+                regulatory_text: '[Logging capabilities shall enable the recording of events relevant for] identifying situations that may result in the AI system presenting a risk within the meaning of Article 79(1) or in a substantial modification.',
+                required_evidence_fields: ['event_type', 'timestamp'],
+                optional_evidence_fields: ['session_id', 'reference_db_ref', 'matched_input_ref'],
+                event_type_mapping: [
+                    'policy_check_event',
+                    'state_transition_event',
+                    'eval_event',
+                    'runtime_lifecycle_event',
+                ],
+                verifier_expectation: 'Events that record adverse policy decisions, abnormal state transitions, failed evaluations, or runtime crashes carry a timestamp and an event_type drawn from the v1 taxonomy.',
+                implementation_status: 'field_supported',
+                legal_disclaimer: "Mapping target only. Attestplane records risk-relevant events when adapters emit them; what counts as 'a situation that may result in a risk within the meaning of Article 79(1)' is a runtime / deployer determination outside the substrate's scope.",
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(2)(a).',
+            },
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '2(b)',
+                obligation_id: 'eu_ai_act.art12.2b.post_market_monitoring',
+                regulatory_text: '[Logging capabilities shall enable the recording of events relevant for] facilitating the post-market monitoring referred to in Article 72.',
+                required_evidence_fields: ['event_type', 'timestamp'],
+                optional_evidence_fields: ['session_id'],
+                event_type_mapping: [
+                    'tool_call_event',
+                    'policy_check_event',
+                    'eval_event',
+                    'state_transition_event',
+                ],
+                verifier_expectation: 'Recorded events span the operational lifetime of the system and are retrievable as a verifiable chain, supporting Article 72 post-market obligations.',
+                implementation_status: 'designed_toward',
+                legal_disclaimer: 'Mapping target only. The substrate provides the recording layer; Article 72 also requires a post-market monitoring system / plan and provider procedures, which are deployer responsibilities.',
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(2)(b).',
+            },
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '2(c)',
+                obligation_id: 'eu_ai_act.art12.2c.monitoring_operation',
+                regulatory_text: '[Logging capabilities shall enable the recording of events relevant for] monitoring the operation of high-risk AI systems referred to in Article 26(5).',
+                required_evidence_fields: ['event_type', 'timestamp'],
+                optional_evidence_fields: ['session_id'],
+                event_type_mapping: [
+                    'runtime_lifecycle_event',
+                    'gateway_decision_event',
+                    'state_transition_event',
+                    'tool_call_event',
+                ],
+                verifier_expectation: "Recorded events include runtime start/stop, gateway admit/deny decisions, and state transitions sufficient for an operator to reconstruct the system's operational timeline.",
+                implementation_status: 'designed_toward',
+                legal_disclaimer: 'Mapping target only. The substrate captures operational events when adapters emit them; the deployer (acting per Article 26(5)) is responsible for ensuring those events are emitted and reviewed.',
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(2)(c).',
+            },
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '3(a)',
+                obligation_id: 'eu_ai_act.art12.3a.period_of_each_use',
+                regulatory_text: '[For high-risk AI systems referred to in point 1(a) of Annex III, the logging capabilities shall provide, at a minimum] recording of the period of each use of the system (start date and time and end date and time of each use).',
+                required_evidence_fields: ['session_id', 'timestamp'],
+                optional_evidence_fields: [],
+                event_type_mapping: ['runtime_lifecycle_event', 'state_transition_event'],
+                verifier_expectation: 'For each session_id present in the chain there exists at least one event marking the start of use and at least one event marking the end of use; both carry timestamps. (Implementation deferred to M6; v0.1 verifier surfaces this as a warning, not an error.)',
+                implementation_status: 'field_supported',
+                legal_disclaimer: "Mapping target only. The session_id field on EventDraft is the substrate's mechanism for recording per-use periods. Whether the runtime emits start/end events for each use of the system is a runtime/adapter responsibility outside the substrate's scope.",
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(3)(a). Applies specifically to Annex III point 1(a) (biometric identification systems for natural persons).',
+            },
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '3(b)',
+                obligation_id: 'eu_ai_act.art12.3b.reference_database',
+                regulatory_text: '[For high-risk AI systems referred to in point 1(a) of Annex III, the logging capabilities shall provide, at a minimum] the reference database against which input data has been checked by the system.',
+                required_evidence_fields: ['reference_db_ref'],
+                optional_evidence_fields: ['session_id'],
+                event_type_mapping: ['eval_event', 'policy_check_event'],
+                verifier_expectation: 'Every eval_event (and policy_check_event when applicable to biometric matching) has reference_db_ref populated with a stable identifier of the reference database used.',
+                implementation_status: 'field_supported',
+                legal_disclaimer: "Mapping target only. The reference_db_ref field on EventDraft is the substrate's mechanism for recording reference-database identity; the adapter is responsible for populating it with a meaningful and stable identifier.",
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(3)(b). Applies specifically to Annex III point 1(a) (biometric identification systems for natural persons).',
+            },
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '3(c)',
+                obligation_id: 'eu_ai_act.art12.3c.matched_input_data',
+                regulatory_text: '[For high-risk AI systems referred to in point 1(a) of Annex III, the logging capabilities shall provide, at a minimum] the input data for which the search has led to a match.',
+                required_evidence_fields: ['matched_input_ref'],
+                optional_evidence_fields: ['session_id', 'reference_db_ref'],
+                event_type_mapping: ['eval_event'],
+                verifier_expectation: "Every eval_event whose decision is 'PASS' (i.e., a match) has matched_input_ref populated with a SHA-256 content reference to the input data, never the raw input.",
+                implementation_status: 'field_supported',
+                legal_disclaimer: 'Mapping target only. The matched_input_ref field on EventDraft records a SHA-256 content reference to the input data, not the raw data, in keeping with GDPR Article 5(1)(c) data minimisation. The substrate does not retain the underlying input.',
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(3)(c). Applies specifically to Annex III point 1(a) (biometric identification systems for natural persons).',
+            },
+            {
+                framework: 'EU AI Act',
+                article: '12',
+                paragraph: '3(d)',
+                obligation_id: 'eu_ai_act.art12.3d.human_verifier',
+                regulatory_text: '[For high-risk AI systems referred to in point 1(a) of Annex III, the logging capabilities shall provide, at a minimum] the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5).',
+                required_evidence_fields: ['human_verifier'],
+                optional_evidence_fields: ['session_id'],
+                event_type_mapping: ['human_approval_event', 'eval_event'],
+                verifier_expectation: "Every human_approval_event has human_verifier populated; every eval_event with evaluator_kind in {'HUMAN','ENSEMBLE'} has human_verifier populated. The human_verifier field is a SubjectRef so direct identifiers cannot be silently written.",
+                implementation_status: 'field_supported',
+                legal_disclaimer: "Mapping target only. The human_verifier field is typed as SubjectRef, which forces pseudonymisation per GDPR Article 4(5). Whether the pseudonymisation scheme is recoverable (and to whom) is a deployer policy decision outside the substrate's scope.",
+                source_citation: 'Regulation (EU) 2024/1689, Article 12(3)(d). Cross-references Article 14(5) on human oversight. Applies specifically to Annex III point 1(a) (biometric identification systems for natural persons).',
+            },
+        ],
+    },
+    {
+        framework: 'DORA',
+        framework_source: 'Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act), OJ L 333, 27.12.2022',
+        registry_version: 1,
+        last_reviewed: '2026-05-17',
+        entries: [
+            {
+                framework: 'DORA',
+                article: '8',
+                paragraph: '1',
+                obligation_id: 'dora.art8.1.identification_and_documentation',
+                regulatory_text: 'As part of the ICT risk management framework, financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.',
+                required_evidence_fields: ['event_type', 'timestamp'],
+                optional_evidence_fields: ['actor', 'session_id', 'reference_db_ref'],
+                event_type_mapping: [
+                    'runtime_lifecycle_event',
+                    'worker_assignment_event',
+                    'gateway_decision_event',
+                    'policy_check_event',
+                ],
+                verifier_expectation: 'Recorded events sufficient to reconstruct which ICT assets supported which business functions over the audit window — runtime starts/stops, worker assignments, gateway-level admission decisions, and policy gates applied — are present.',
+                implementation_status: 'designed_toward',
+                legal_disclaimer: "Mapping target only. Attestplane records ICT-asset-level events when adapters emit them; identification, classification, and documentation of business functions, asset criticality, and dependencies are deployer responsibilities outside the substrate's scope. The substrate is one component supporting a DORA Article 8(1) implementation, not the implementation itself.",
+                source_citation: 'Regulation (EU) 2022/2554, Article 8(1).',
+                notes: 'regulatory_text is a paraphrase pending final verification against OJ L 333, 27.12.2022; the substantive obligation is correctly summarised. Public-facing material citing this entry must include the legal_disclaimer per claims_policy.md.',
+            },
+            {
+                framework: 'DORA',
+                article: '8',
+                paragraph: '3',
+                obligation_id: 'dora.art8.3.classification_and_yearly_review',
+                regulatory_text: 'Information assets and ICT assets shall be classified by financial entities, with the classification reviewed as necessary and at least on a yearly basis.',
+                required_evidence_fields: ['event_type', 'timestamp'],
+                optional_evidence_fields: ['actor', 'reference_db_ref', 'human_verifier'],
+                event_type_mapping: [
+                    'policy_check_event',
+                    'human_approval_event',
+                    'state_transition_event',
+                ],
+                verifier_expectation: 'At least one event per calendar year exists per classified asset; events recording the yearly review carry a human_verifier when the review is human-led.',
+                implementation_status: 'designed_toward',
+                legal_disclaimer: "Mapping target only. The substrate can record classification-review events when they occur; whether the yearly cadence has been met is a deployer-side schedule discipline outside the substrate's enforcement scope.",
+                source_citation: 'Regulation (EU) 2022/2554, Article 8(3).',
+                notes: 'regulatory_text is a paraphrase pending final verification against OJ L 333, 27.12.2022.',
+            },
+            {
+                framework: 'DORA',
+                article: '8',
+                paragraph: '5',
+                obligation_id: 'dora.art8.5.privileged_access_inventory',
+                regulatory_text: 'Financial entities shall identify and document the user accounts, including those used by ICT third-party service providers, with privileged or administrative access.',
+                required_evidence_fields: ['event_type', 'timestamp', 'actor'],
+                optional_evidence_fields: ['subject_ref', 'human_verifier', 'session_id'],
+                event_type_mapping: [
+                    'policy_check_event',
+                    'gateway_decision_event',
+                    'state_transition_event',
+                ],
+                verifier_expectation: 'Events with administrative or privileged-access semantics carry the acting actor and, where applicable, a SubjectRef wrapper for the operator identity per GDPR Article 4(5) pseudonymisation.',
+                implementation_status: 'field_supported',
+                legal_disclaimer: 'Mapping target only. The actor field and SubjectRef type enable recording privileged-access events without storing raw identifiers; building and maintaining the inventory itself is a deployer responsibility.',
+                source_citation: 'Regulation (EU) 2022/2554, Article 8(5).',
+                notes: 'regulatory_text is a paraphrase pending final verification against OJ L 333, 27.12.2022.',
+            },
+            {
+                framework: 'DORA',
+                article: '8',
+                paragraph: '7',
+                obligation_id: 'dora.art8.7.third_party_dependency_mapping',
+                regulatory_text: 'Financial entities shall identify, on a continuous basis, all processes that are dependent on ICT third-party service providers and identify interconnections with ICT third-party service providers that provide services supporting critical or important functions.',
+                required_evidence_fields: ['event_type', 'timestamp'],
+                optional_evidence_fields: ['reference_db_ref', 'actor'],
+                event_type_mapping: [
+                    'tool_call_event',
+                    'gateway_decision_event',
+                    'runtime_lifecycle_event',
+                ],
+                verifier_expectation: 'Tool calls and gateway decisions involving external ICT third-party services are recorded as events with sufficient identifying refs to map the dependency.',
+                implementation_status: 'designed_toward',
+                legal_disclaimer: 'Mapping target only. The substrate records dependency-triggering events when adapters emit them; producing the mapping itself, identifying critical-or-important functions, and continuous maintenance of that mapping are deployer responsibilities.',
+                source_citation: 'Regulation (EU) 2022/2554, Article 8(7).',
+                notes: 'regulatory_text is a paraphrase pending final verification against OJ L 333, 27.12.2022.',
+            },
+            {
+                framework: 'DORA',
+                article: '8',
+                paragraph: '8',
+                obligation_id: 'dora.art8.8.records_of_third_party_arrangements',
+                regulatory_text: 'Financial entities shall maintain and update relevant records on the use of services provided by ICT third-party service providers, distinguishing between those supporting critical or important functions and other arrangements.',
+                required_evidence_fields: ['event_type', 'timestamp'],
+                optional_evidence_fields: ['reference_db_ref', 'actor', 'session_id'],
+                event_type_mapping: [
+                    'gateway_decision_event',
+                    'settlement_event',
+                    'tool_call_event',
+                    'lease_lifecycle_event',
+                ],
+                verifier_expectation: 'Events recording the use of an ICT third-party service carry a stable reference (reference_db_ref or actor) to the third-party arrangement; the append-only chain provides the maintenance-and-update audit trail.',
+                implementation_status: 'designed_toward',
+                legal_disclaimer: "Mapping target only. The substrate's append-only hash chain provides the record-keeping integrity layer; classifying arrangements as supporting critical-or-important functions and maintaining the canonical record under DORA Article 28 register-of-information are deployer responsibilities.",
+                source_citation: 'Regulation (EU) 2022/2554, Article 8(8). See also Article 28 (register of information on contractual arrangements).',
+                notes: 'regulatory_text is a paraphrase pending final verification against OJ L 333, 27.12.2022.',
+            },
+        ],
+    },
+];
+function cloneEntry(entry) {
+    return Object.freeze({
+        ...entry,
+        required_evidence_fields: Object.freeze([...entry.required_evidence_fields]),
+        optional_evidence_fields: Object.freeze([...entry.optional_evidence_fields]),
+        event_type_mapping: Object.freeze([...entry.event_type_mapping]),
+    });
+}
+function cloneRegistry(registry) {
+    return Object.freeze({
+        ...registry,
+        entries: Object.freeze(registry.entries.map((entry) => cloneEntry(entry))),
+    });
+}
+function registryByFramework(framework) {
+    const registry = REGISTRIES.find((item) => item.framework === framework);
+    if (registry === undefined) {
+        throw new ObligationRegistryError(`no registry for framework ${framework}`);
+    }
+    return cloneRegistry(registry);
+}
+export function loadEuAiActArticle12() {
+    return registryByFramework('EU AI Act');
+}
+export function loadDoraArticle8() {
+    return registryByFramework('DORA');
+}
+export function loadAllRegistries() {
+    return Object.freeze([loadEuAiActArticle12(), loadDoraArticle8()]);
+}
+export function obligationById(registry, obligationId) {
+    return registry.entries.find((entry) => entry.obligation_id === obligationId);
+}
+export function obligationsByEventType(registry, eventType) {
+    return Object.freeze(registry.entries.filter((entry) => entry.event_type_mapping.includes(eventType)));
+}
+export function obligationsByImplementationStatus(registry, status) {
+    return Object.freeze(registry.entries.filter((entry) => entry.implementation_status === status));
+}
+//# sourceMappingURL=obligations.js.map

package/dist/obligations.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"obligations.js","sourceRoot":"","sources":["../src/obligations.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;;GAOG;AAgCH,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,MAAM,UAAU,GAAwB;IACtC;QACE,SAAS,EAAE,WAAW;QACtB,gBAAgB,EACd,2MAA2M;QAC7M,gBAAgB,EAAE,CAAC;QACnB,aAAa,EAAE,YAAY;QAC3B,OAAO,EAAE;YACP;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,GAAG;gBACd,aAAa,EAAE,uCAAuC;gBACtD,eAAe,EACb,8HAA8H;gBAChI,wBAAwB,EAAE,EAAE;gBAC5B,wBAAwB,EAAE,EAAE;gBAC5B,kBAAkB,EAAE;oBAClB,iBAAiB;oBACjB,oBAAoB;oBACpB,sBAAsB;oBACtB,uBAAuB;oBACvB,cAAc;oBACd,kBAAkB;oBAClB,yBAAyB;oBACzB,yBAAyB;oBACzB,wBAAwB;oBACxB,wBAAwB;oBACxB,YAAY;oBACZ,eAAe;iBAChB;gBACD,oBAAoB,EAClB,4LAA4L;gBAC9L,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,wVAAwV;gBAC1V,eAAe,EAAE,2CAA2C;gBAC5D,KAAK,EACH,sFAAsF;aACzF;YACD;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM;gBACjB,aAAa,EAAE,gDAAgD;gBAC/D,eAAe,EACb,0NAA0N;gBAC5N,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,CAAC,YAAY,EAAE,kBAAkB,EAAE,mBAAmB,CAAC;gBACjF,kBAAkB,EAAE;oBAClB,oBAAoB;oBACpB,wBAAwB;oBACxB,YAAY;oBACZ,yBAAyB;iBAC1B;gBACD,oBAAoB,EAClB,iLAAiL;gBACnL,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,wPAAwP;gBAC1P,eAAe,EAAE,8CAA8C;aAChE;YACD;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM;gBACjB,aAAa,EAAE,2CAA2C;gBAC1D,eAAe,EACb,6IAA6I;gBAC/I,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,CAAC,YAAY,CAAC;gBACxC,kBAAkB,EAAE;oBAClB,iBAAiB;oBACjB,oBAAoB;oBACpB,YAAY;oBACZ,wBAAwB;iBACzB;gBACD,oBAAoB,EAClB,uJAAuJ;gBACzJ,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,gMAAgM;gBAClM,eAAe,EAAE,8CAA8C;aAChE;YACD;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM;gBACjB,aAAa,EAAE,yCAAyC;gBACxD,eAAe,EACb,yJAAyJ;gBAC3J,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,CAAC,YAAY,CAAC;gBACxC,kBAAkB,EAAE;oBAClB,yBAAyB;oBACzB,wBAAwB;oBACxB,wBAAwB;oBACxB,iBAAiB;iBAClB;gBACD,oBAAoB,EAClB,8KAA8K;gBAChL,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,oMAAoM;gBACtM,eAAe,EAAE,8CAA8C;aAChE;YACD;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM;gBACjB,aAAa,EAAE,uCAAuC;gBACtD,eAAe,EACb,oOAAoO;gBACtO,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,EAAE;gBAC5B,kBAAkB,EAAE,CAAC,yBAAyB,EAAE,wBAAwB,CAAC;gBACzE,oBAAoB,EAClB,kQAAkQ;gBACpQ,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,8PAA8P;gBAChQ,eAAe,EACb,mJAAmJ;aACtJ;YACD;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM;gBACjB,aAAa,EAAE,uCAAuC;gBACtD,eAAe,EACb,yMAAyM;gBAC3M,wBAAwB,EAAE,CAAC,kBAAkB,CAAC;gBAC9C,wBAAwB,EAAE,CAAC,YAAY,CAAC;gBACxC,kBAAkB,EAAE,CAAC,YAAY,EAAE,oBAAoB,CAAC;gBACxD,oBAAoB,EAClB,yKAAyK;gBAC3K,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,6NAA6N;gBAC/N,eAAe,EACb,mJAAmJ;aACtJ;YACD;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM;gBACjB,aAAa,EAAE,uCAAuC;gBACtD,eAAe,EACb,iLAAiL;gBACnL,wBAAwB,EAAE,CAAC,mBAAmB,CAAC;gBAC/C,wBAAwB,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;gBAC5D,kBAAkB,EAAE,CAAC,YAAY,CAAC;gBAClC,oBAAoB,EAClB,oKAAoK;gBACtK,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,qPAAqP;gBACvP,eAAe,EACb,mJAAmJ;aACtJ;YACD;gBACE,SAAS,EAAE,WAAW;gBACtB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM;gBACjB,aAAa,EAAE,mCAAmC;gBAClD,eAAe,EACb,iPAAiP;gBACnP,wBAAwB,EAAE,CAAC,gBAAgB,CAAC;gBAC5C,wBAAwB,EAAE,CAAC,YAAY,CAAC;gBACxC,kBAAkB,EAAE,CAAC,sBAAsB,EAAE,YAAY,CAAC;gBAC1D,oBAAoB,EAClB,gPAAgP;gBAClP,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,0PAA0P;gBAC5P,eAAe,EACb,sMAAsM;aACzM;SACF;KACF;IACD;QACE,SAAS,EAAE,MAAM;QACjB,gBAAgB,EACd,mNAAmN;QACrN,gBAAgB,EAAE,CAAC;QACnB,aAAa,EAAE,YAAY;QAC3B,OAAO,EAAE;YACP;gBACE,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,GAAG;gBACZ,SAAS,EAAE,GAAG;gBACd,aAAa,EAAE,8CAA8C;gBAC7D,eAAe,EACb,iTAAiT;gBACnT,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,kBAAkB,CAAC;gBACrE,kBAAkB,EAAE;oBAClB,yBAAyB;oBACzB,yBAAyB;oBACzB,wBAAwB;oBACxB,oBAAoB;iBACrB;gBACD,oBAAoB,EAClB,4OAA4O;gBAC9O,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,iXAAiX;gBACnX,eAAe,EAAE,0CAA0C;gBAC3D,KAAK,EACH,+OAA+O;aAClP;YACD;gBACE,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,GAAG;gBACZ,SAAS,EAAE,GAAG;gBACd,aAAa,EAAE,8CAA8C;gBAC7D,eAAe,EACb,4JAA4J;gBAC9J,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,CAAC,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,CAAC;gBACzE,kBAAkB,EAAE;oBAClB,oBAAoB;oBACpB,sBAAsB;oBACtB,wBAAwB;iBACzB;gBACD,oBAAoB,EAClB,2JAA2J;gBAC7J,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,uNAAuN;gBACzN,eAAe,EAAE,0CAA0C;gBAC3D,KAAK,EACH,0FAA0F;aAC7F;YACD;gBACE,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,GAAG;gBACZ,SAAS,EAAE,GAAG;gBACd,aAAa,EAAE,yCAAyC;gBACxD,eAAe,EACb,wKAAwK;gBAC1K,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,OAAO,CAAC;gBAC9D,wBAAwB,EAAE,CAAC,aAAa,EAAE,gBAAgB,EAAE,YAAY,CAAC;gBACzE,kBAAkB,EAAE;oBAClB,oBAAoB;oBACpB,wBAAwB;oBACxB,wBAAwB;iBACzB;gBACD,oBAAoB,EAClB,gMAAgM;gBAClM,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,iNAAiN;gBACnN,eAAe,EAAE,0CAA0C;gBAC3D,KAAK,EACH,0FAA0F;aAC7F;YACD;gBACE,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,GAAG;gBACZ,SAAS,EAAE,GAAG;gBACd,aAAa,EAAE,4CAA4C;gBAC3D,eAAe,EACb,wQAAwQ;gBAC1Q,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,CAAC,kBAAkB,EAAE,OAAO,CAAC;gBACvD,kBAAkB,EAAE;oBAClB,iBAAiB;oBACjB,wBAAwB;oBACxB,yBAAyB;iBAC1B;gBACD,oBAAoB,EAClB,6JAA6J;gBAC/J,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,uPAAuP;gBACzP,eAAe,EAAE,0CAA0C;gBAC3D,KAAK,EACH,0FAA0F;aAC7F;YACD;gBACE,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,GAAG;gBACZ,SAAS,EAAE,GAAG;gBACd,aAAa,EAAE,iDAAiD;gBAChE,eAAe,EACb,qOAAqO;gBACvO,wBAAwB,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC;gBACrD,wBAAwB,EAAE,CAAC,kBAAkB,EAAE,OAAO,EAAE,YAAY,CAAC;gBACrE,kBAAkB,EAAE;oBAClB,wBAAwB;oBACxB,kBAAkB;oBAClB,iBAAiB;oBACjB,uBAAuB;iBACxB;gBACD,oBAAoB,EAClB,oNAAoN;gBACtN,qBAAqB,EAAE,iBAAiB;gBACxC,gBAAgB,EACd,mSAAmS;gBACrS,eAAe,EACb,qHAAqH;gBACvH,KAAK,EACH,0FAA0F;aAC7F;SACF;KACF;CACqC,CAAC;AAEzC,SAAS,UAAU,CAAC,KAAsB;IACxC,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,GAAG,KAAK;QACR,wBAAwB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5E,wBAAwB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5E,kBAAkB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,kBAAkB,CAAC,CAAC;KACjE,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,QAAkB;IACvC,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,GAAG,QAAQ;QACX,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;KAC3E,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB,CAAC,SAAiB;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;IACzE,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,IAAI,uBAAuB,CAAC,6BAA6B,SAAS,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO,mBAAmB,CAAC,WAAW,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,QAAkB,EAClB,YAAoB;IAEpB,OAAO,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,aAAa,KAAK,YAAY,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,QAAkB,EAClB,SAAiB;IAEjB,OAAO,MAAM,CAAC,MAAM,CAClB,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CACjF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,QAAkB,EAClB,MAA4B;IAE5B,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,qBAAqB,KAAK,MAAM,CAAC,CAAC,CAAC;AACnG,CAAC"}