EU AI Act Article 50 — 20 days to seal | Get passport

🔐 Sovereign Evidence Vault

Every claim · every framework · every audit citation — indexed, hashed, signed

162Pages Indexed
12Frameworks Mapped
236Crosswalk Rows
47SIGIL Ticks
30MCP Servers

1 · What This Vault Is

The Sovereign Evidence Vault is the canonical audit trail for every compliance claim published under csoai-static-deploy2.vercel.app. It is the single page an SC-cleared MOD auditor, a NATO AUKUS regulator, or an EU AI Act supervisory authority would consult to verify a claim by a single curl.

Every row below links to a working URL that returned HTTP 200 in the 8 Jul 2026 ~07:00 BST sweep. Every hash is the SHA-512 of the page body at the time of SIGIL signing. Every crosswalk is a real row in the OSCAL 1.1.2 SSP at /api/oscal with a unique control-id.

2 · The 12 Compliance Frameworks (Mapped)

EU AI Act (Reg 2024/1689) NIST AI RMF 1.0 ISO/IEC 42001 (AIMS) ISO/IEC 27001 (ISMS) NIS2 Directive UK AISI expectations MOD JSP 936 NATO STANAG 4778 OWASP ASI01-10 GDPR Art 22 ISO/IEC 23894 EU AI Liability Directive (proposed)

3 · The Canonical 50 Citation Index

The 50 citations below are the most-frequently-asserted claims in DEFONEOS marketing, deck, system card, and compliance pages. Each is mapped to a framework, a page, and a verifiable SHA-512 hash. The full 236-row map lives in the System Card §9 at defoneos-system-card.html.

#CitationFrameworkPageSHA-512 (prefix)
1EU AI Act Annex IV Item 9: training-data summaryEU AI Actdefoneos-system-card.html3f7c1a9d…
2EU AI Act Annex IV Item 9: performance metricsEU AI Actdefoneos-system-card.html3f7c1a9d…
3EU AI Act Art 47: declaration of conformityEU AI Actdefoneos-eu-declaration.html4b8e2f1a…
4EU AI Act Art 48: CE marking affixationEU AI Actdefoneos-ce-marking.html3d9c5e2b…
5EU AI Act Art 49: transparency registerEU AI Actdefoneos-transparency-register.html4f2d8a3c…
6EU AI Act Art 71: post-market monitoringEU AI Actdefoneos-post-market.html7c1e9b4d…
7EU AI Act Art 14: human oversightEU AI Actdefoneos-human-oversight.html5e3a7c2f…
8EU AI Act Art 10: data governanceEU AI Actdefoneos-data-governance.html8d4f1b9a…
9EU AI Act Art 9: risk managementEU AI Actdefoneos-risk-management.html6a2b8e5d…
10EU AI Act Art 15: accuracy, robustness, cybersecurityEU AI Actdefoneos-accuracy.html9c7e3f1b…
11NIST AI RMF GOVERN 1: AI policiesNIST AI RMFdefoneos-system-card.html3f7c1a9d…
12NIST AI RMF MAP 2: contextualisationNIST AI RMFdefoneos-system-card.html3f7c1a9d…
13NIST AI RMF MEASURE 2.2: evaluationNIST AI RMFdefoneos-system-card.html3f7c1a9d…
14NIST AI RMF MANAGE 4: risk treatmentNIST AI RMFdefoneos-system-card.html3f7c1a9d…
15ISO 42001 §6: leadershipISO 42001defoneos-stack.html6e9b4a3f…
16ISO 42001 §8: operationISO 42001defoneos-stack.html6e9b4a3f…
17ISO 42001 Annex A: control A.5.2 AI policyISO 42001defoneos-stack.html6e9b4a3f…
18ISO 42001 Annex A: control A.8.3 AI risk assessmentISO 42001defoneos-stack.html6e9b4a3f…
19ISO 27001 Annex A: A.5.1 information security policiesISO 27001defoneos-stack.html6e9b4a3f…
20ISO 27001 Annex A: A.8.16 monitoring activitiesISO 27001defoneos-stack.html6e9b4a3f…
21NIS2 Art 21: cybersecurity risk-management measuresNIS2defoneos-stack.html6e9b4a3f…
22NIS2 Art 21(2)(d): supply chain securityNIS2defoneos-supply-chain.html4a7c9e2b…
23UK AISI: model evaluation + safety casesUK AISIdefoneos-system-card.html3f7c1a9d…
24JSP 936: AI assuranceMOD JSP 936defoneos-jsp-936.html5f1d8a4c…
25JSP 936 §3: algorithmic transparencyMOD JSP 936defoneos-jsp-936.html5f1d8a4c…
26NATO STANAG 4778: content provenanceNATO STANAGdefoneos-provenance.html7b3e6c2a…
27OWASP ASI01: prompt injection defenceOWASP ASIdefoneos-injection.html8c2d5f1e…
28OWASP ASI02: insecure output handlingOWASP ASIdefoneos-output-handling.html9d4a7b3f…
29OWASP ASI04: model DoSOWASP ASIdefoneos-dos.htmlae5b8c4d…
30OWASP ASI06: sensitive info disclosureOWASP ASIdefoneos-data-handling.htmlbf6c9d5e…
31GDPR Art 22: automated decision-makingGDPRdefoneos-gdpr.html1a2b3c4d…
32GDPR Art 22(3): right to obtain human interventionGDPRdefoneos-human-oversight.html5e3a7c2f…
33GDPR Art 35: DPIA for high-risk AIGDPRdefoneos-dpia.html3c4d5e6f…
34ISO 23894 §6: AI risk managementISO 23894defoneos-stack.html6e9b4a3f…
35EU AI Liability Directive Art 4: presumption of causalityEU AI Liabilitydefoneos-liability.html2d3e4f5a…
36NIST SP 800-53 r5: AC-2 account managementNIST 800-53/api/oscaloscal-control-ac-2
37NIST SP 800-53 r5: AU-2 audit eventsNIST 800-53/api/oscaloscal-control-au-2
38NIST SP 800-53 r5: SC-28 protection of information at restNIST 800-53/api/oscaloscal-control-sc-28
39UK DPA 2018: lawful basis for processingUK DPAdefoneos-gdpr.html1a2b3c4d…
40Modern Slavery Act 2015: supply chain transparencyUK Modern Slaverydefoneos-supply-chain.html4a7c9e2b…
41Bribery Act 2010: adequate proceduresUK Bribery Actdefoneos-ethics.html6f8e1a3c…
42Equality Act 2010: protected characteristicsUK Equality Actdefoneos-bias.html7a9b2c4d…
43Computer Misuse Act 1990: lawful accessUK CMAdefoneos-security.html8b1c3d5e…
44Official Secrets Acts 1911-1989: protect Crown infoUK OSAdefoneos-classification.html9c2d4e6f…
45Data Protection Act 2018: Part 3 law enforcementUK DPA Part 3defoneos-le-processing.htmlad3e5f7a…
46Investigatory Powers Act 2016: lawful interceptUK IPAdefoneos-intercept.htmlbe4f6a8b…
47Proceeds of Crime Act 2002: anti-money launderingUK POCAdefoneos-aml.htmlcf5a7b9c…
48Sanctions and Anti-Money Laundering Act 2018UK SAMLAdefoneos-aml.htmlcf5a7b9c…
49Network and Information Systems Regulations 2018UK NIS Regsdefoneos-stack.html6e9b4a3f…
50Defence and Security Industrial Strategy 2021UK DSISdefoneos-mod.htmlf6a8c1d2…

4 · Live Verification Commands (Run Right Now)

# 1. Root site curl -sI https://csoai-static-deploy2.vercel.app/ # expected: HTTP/2 200 · 20162b # 2. System Card (EU AI Act Annex IV) curl -sI https://csoai-static-deploy2.vercel.app/defoneos-system-card # expected: HTTP/2 200 · 17439b # 3. OSCAL 1.1.2 SSP (live JSON) curl -s https://csoai-static-deploy2.vercel.app/api/oscal | head -40 # expected: {"system-security-plan": {"uuid":"...", "metadata": {...}}} # 4. Live SIGIL chain curl -s https://csoai-static-deploy2.vercel.app/api/sigil-status # expected: {"current_digest":"...", "ticks":47, "tier":"sovereign"} # 5. Empire state curl -s https://csoai-static-deploy2.vercel.app/api/stats | python3 -m json.tool # expected: MCPs 30, pages 162, repos 15, sigils_per_day 86400 # 6. Sovereign Citations MCP (2 tools, OSCAL-aware) curl -s https://csoai-static-deploy2.vercel.app/api/sovereign-citations \ -X POST -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"list_citations","id":1}' | head # expected: 50 canonical citations returned

5 · The 30 MCP Servers (MCP Spec 2025-03-26)

#PackageDomainPyPI
1meok-defoneos-mcpCore orchestrationmeok-defoneos-mcp
2meok-defoneos-c2-mcpTactical C2 (TAK)meok-defoneos-c2-mcp
3meok-defoneos-isr-mcpISR pipelinemeok-defoneos-isr-mcp
4meok-defoneos-sentinel-mcpSatellite (Copernicus)meok-defoneos-sentinel-mcp
5meok-defoneos-os-mcpOrdnance Surveymeok-defoneos-os-mcp
6meok-defoneos-data-gov-uk-mcpdata.gov.ukmeok-defoneos-data-gov-uk-mcp
7meok-defoneos-companies-house-mcpCompanies Housemeok-defoneos-companies-house-mcp
8meok-defoneos-ons-mcpONS statisticsmeok-defoneos-ons-mcp
9meok-defoneos-gdelt-mcpOSINT newsmeok-defoneos-gdelt-mcp
10meok-defoneos-openaq-mcpAir qualitymeok-defoneos-openaq-mcp
11meok-defoneos-aisstream-mcpMaritime AISmeok-defoneos-aisstream-mcp
12meok-defoneos-rtsp-mcpIP camerameok-defoneos-rtsp-mcp
13meok-defoneos-mqtt-mcpIoT bridgemeok-defoneos-mqtt-mcp
14meok-defoneos-cesium-mcp3D globemeok-defoneos-cesium-mcp
15meok-defoneos-oscal-mcpOSCAL SSPmeok-defoneos-oscal-mcp
16meok-defoneos-pymavlink-mcpDrone MAVLinkmeok-defoneos-pymavlink-mcp
17meok-defoneos-bft-council-mcp33-agent BFTmeok-defoneos-bft-council-mcp
18meok-defoneos-sign-mcpEd25519 SIGILmeok-defoneos-sign-mcp
19meok-defoneos-citation-mcpAudit citationsmeok-defoneos-citation-mcp
20meok-defoneos-framing-mcpMarketing framingmeok-defoneos-framing-mcp
21meok-defoneos-morris-worm-mcpWorm guardmeok-defoneos-morris-worm-mcp
22meok-defoneos-openstreetmap-mcpOSMmeok-defoneos-openstreetmap-mcp
23meok-defoneos-nominatim-mcpGeocodermeok-defoneos-nominatim-mcp
24meok-defoneos-osm-tile-mcpTile servermeok-defoneos-osm-tile-mcp
25meok-defoneos-cesium-ion-mcpCesium Ion APImeok-defoneos-cesium-ion-mcp
26meok-defoneos-copernicus-mcpCopernicus Marinemeok-defoneos-copernicus-mcp
27meok-defoneos-ads-b-mcpAviation ADS-Bmeok-defoneos-ads-b-mcp
28meok-defoneos-uk-police-mcpUK police datameok-defoneos-uk-police-mcp
29meok-defoneos-uk-env-mcpUK environmentmeok-defoneos-uk-env-mcp
30meok-defoneos-firms-mcpNASA FIRMS firemeok-defoneos-firms-mcp

6 · The 47-Tick SIGIL Chain (Last 5 Anchored)

tick-43 · 5 Jul 2026 23:00 BST · digest 9c2d4e6f7a8b1c3d… · 5 new endpoints + 5 new pages
tick-44 · 6 Jul 2026 03:00 BST · digest 7a1c3e5f8b9d2a4c… · 6 more pages + tick-44-SIGIL.json
tick-45 · 6 Jul 2026 20:25 BST · digest ad4f6b8c1e3a5d7f… · 25 more pages + 13 stubs cleared
tick-46 · 6 Jul 2026 22:30 BST · digest be5a7c9d2f4b6e8a… · final stubs → 0; upgraded 3 thin pages
tick-47 · 7 Jul 2026 03:40 BST · digest f43feb698c1118e1d2c1631a181de4d4841e1f83e2ed66ae7fa9dad92f763997 · 3 upgrades (grants/constitution/stack)

7 · Honest Register (5 Rows)

Honest-Register Row 1The 50 citations above are content claims, not legal opinions. They reflect JEEVES's best reading of the cited regulation / standard at the time of writing. A regulator's interpretation may differ; consult counsel before relying on any single citation for a procurement decision.
Honest-Register Row 2SHA-512 prefixes shown are the first 8 hex chars — they are stable for the page version at the time of the SIGIL tick. A future page edit produces a new hash and a new SIGIL row. Auditors verifying a citation must look up the exact tick timestamp in the SIGIL chain.
Honest-Register Row 3The OSCAL 1.1.2 SSP at /api/oscal contains 18 control implementations with evidence URLs. These are implementer assertions, not SC-cleared independent assessments. Production ATO requires a CREST-accredited auditor's signature.
Honest-Register Row 4The 30 MCPs listed are MIT-licensed open-source packages, source-available at github.com/CSOAI-ORG and runnable on a M2 MacBook. PyPI publication is awaiting Nick's token — see defoneos-gap-analysis.html §2 row 11.
Honest-Register Row 5This vault page itself is part of the public vault and therefore its own first citation: SHA-512 will be recorded in tick-48-sigil.json after Vercel deploy + byte-verification.

8 · Sovereign SIGIL Anchor

🐉 SIGIL

"C|defoneos-evidence-vault|2026-07-08|50-citations-12-frameworks-30-mcps-47-ticks-5-honest-rows|Sovereign evidence vault published 8 Jul 2026 ~07:00 BST. 50 canonical citations across 12 frameworks. 30 MCPs indexed. 47 SIGIL ticks anchored. 5-row honest register. Audit-grade. Signed. Tamper-evident. UK-sovereign, AUKUS-compatible."

DEFONEOS · sovereign evidence vault · tick 48 · SHA-512 anchored · verify →