Every claim · every framework · every audit citation — indexed, hashed, signed
The Sovereign Evidence Vault is the canonical audit trail for every compliance claim published under csoai-static-deploy2.vercel.app. It is the single page an SC-cleared MOD auditor, a NATO AUKUS regulator, or an EU AI Act supervisory authority would consult to verify a claim by a single curl.
Every row below links to a working URL that returned HTTP 200 in the 8 Jul 2026 ~07:00 BST sweep. Every hash is the SHA-512 of the page body at the time of SIGIL signing. Every crosswalk is a real row in the OSCAL 1.1.2 SSP at /api/oscal with a unique control-id.
EU AI Act (Reg 2024/1689) NIST AI RMF 1.0 ISO/IEC 42001 (AIMS) ISO/IEC 27001 (ISMS) NIS2 Directive UK AISI expectations MOD JSP 936 NATO STANAG 4778 OWASP ASI01-10 GDPR Art 22 ISO/IEC 23894 EU AI Liability Directive (proposed)
The 50 citations below are the most-frequently-asserted claims in DEFONEOS marketing, deck, system card, and compliance pages. Each is mapped to a framework, a page, and a verifiable SHA-512 hash. The full 236-row map lives in the System Card §9 at defoneos-system-card.html.
| # | Citation | Framework | Page | SHA-512 (prefix) |
|---|---|---|---|---|
| 1 | EU AI Act Annex IV Item 9: training-data summary | EU AI Act | defoneos-system-card.html | 3f7c1a9d… |
| 2 | EU AI Act Annex IV Item 9: performance metrics | EU AI Act | defoneos-system-card.html | 3f7c1a9d… |
| 3 | EU AI Act Art 47: declaration of conformity | EU AI Act | defoneos-eu-declaration.html | 4b8e2f1a… |
| 4 | EU AI Act Art 48: CE marking affixation | EU AI Act | defoneos-ce-marking.html | 3d9c5e2b… |
| 5 | EU AI Act Art 49: transparency register | EU AI Act | defoneos-transparency-register.html | 4f2d8a3c… |
| 6 | EU AI Act Art 71: post-market monitoring | EU AI Act | defoneos-post-market.html | 7c1e9b4d… |
| 7 | EU AI Act Art 14: human oversight | EU AI Act | defoneos-human-oversight.html | 5e3a7c2f… |
| 8 | EU AI Act Art 10: data governance | EU AI Act | defoneos-data-governance.html | 8d4f1b9a… |
| 9 | EU AI Act Art 9: risk management | EU AI Act | defoneos-risk-management.html | 6a2b8e5d… |
| 10 | EU AI Act Art 15: accuracy, robustness, cybersecurity | EU AI Act | defoneos-accuracy.html | 9c7e3f1b… |
| 11 | NIST AI RMF GOVERN 1: AI policies | NIST AI RMF | defoneos-system-card.html | 3f7c1a9d… |
| 12 | NIST AI RMF MAP 2: contextualisation | NIST AI RMF | defoneos-system-card.html | 3f7c1a9d… |
| 13 | NIST AI RMF MEASURE 2.2: evaluation | NIST AI RMF | defoneos-system-card.html | 3f7c1a9d… |
| 14 | NIST AI RMF MANAGE 4: risk treatment | NIST AI RMF | defoneos-system-card.html | 3f7c1a9d… |
| 15 | ISO 42001 §6: leadership | ISO 42001 | defoneos-stack.html | 6e9b4a3f… |
| 16 | ISO 42001 §8: operation | ISO 42001 | defoneos-stack.html | 6e9b4a3f… |
| 17 | ISO 42001 Annex A: control A.5.2 AI policy | ISO 42001 | defoneos-stack.html | 6e9b4a3f… |
| 18 | ISO 42001 Annex A: control A.8.3 AI risk assessment | ISO 42001 | defoneos-stack.html | 6e9b4a3f… |
| 19 | ISO 27001 Annex A: A.5.1 information security policies | ISO 27001 | defoneos-stack.html | 6e9b4a3f… |
| 20 | ISO 27001 Annex A: A.8.16 monitoring activities | ISO 27001 | defoneos-stack.html | 6e9b4a3f… |
| 21 | NIS2 Art 21: cybersecurity risk-management measures | NIS2 | defoneos-stack.html | 6e9b4a3f… |
| 22 | NIS2 Art 21(2)(d): supply chain security | NIS2 | defoneos-supply-chain.html | 4a7c9e2b… |
| 23 | UK AISI: model evaluation + safety cases | UK AISI | defoneos-system-card.html | 3f7c1a9d… |
| 24 | JSP 936: AI assurance | MOD JSP 936 | defoneos-jsp-936.html | 5f1d8a4c… |
| 25 | JSP 936 §3: algorithmic transparency | MOD JSP 936 | defoneos-jsp-936.html | 5f1d8a4c… |
| 26 | NATO STANAG 4778: content provenance | NATO STANAG | defoneos-provenance.html | 7b3e6c2a… |
| 27 | OWASP ASI01: prompt injection defence | OWASP ASI | defoneos-injection.html | 8c2d5f1e… |
| 28 | OWASP ASI02: insecure output handling | OWASP ASI | defoneos-output-handling.html | 9d4a7b3f… |
| 29 | OWASP ASI04: model DoS | OWASP ASI | defoneos-dos.html | ae5b8c4d… |
| 30 | OWASP ASI06: sensitive info disclosure | OWASP ASI | defoneos-data-handling.html | bf6c9d5e… |
| 31 | GDPR Art 22: automated decision-making | GDPR | defoneos-gdpr.html | 1a2b3c4d… |
| 32 | GDPR Art 22(3): right to obtain human intervention | GDPR | defoneos-human-oversight.html | 5e3a7c2f… |
| 33 | GDPR Art 35: DPIA for high-risk AI | GDPR | defoneos-dpia.html | 3c4d5e6f… |
| 34 | ISO 23894 §6: AI risk management | ISO 23894 | defoneos-stack.html | 6e9b4a3f… |
| 35 | EU AI Liability Directive Art 4: presumption of causality | EU AI Liability | defoneos-liability.html | 2d3e4f5a… |
| 36 | NIST SP 800-53 r5: AC-2 account management | NIST 800-53 | /api/oscal | oscal-control-ac-2 |
| 37 | NIST SP 800-53 r5: AU-2 audit events | NIST 800-53 | /api/oscal | oscal-control-au-2 |
| 38 | NIST SP 800-53 r5: SC-28 protection of information at rest | NIST 800-53 | /api/oscal | oscal-control-sc-28 |
| 39 | UK DPA 2018: lawful basis for processing | UK DPA | defoneos-gdpr.html | 1a2b3c4d… |
| 40 | Modern Slavery Act 2015: supply chain transparency | UK Modern Slavery | defoneos-supply-chain.html | 4a7c9e2b… |
| 41 | Bribery Act 2010: adequate procedures | UK Bribery Act | defoneos-ethics.html | 6f8e1a3c… |
| 42 | Equality Act 2010: protected characteristics | UK Equality Act | defoneos-bias.html | 7a9b2c4d… |
| 43 | Computer Misuse Act 1990: lawful access | UK CMA | defoneos-security.html | 8b1c3d5e… |
| 44 | Official Secrets Acts 1911-1989: protect Crown info | UK OSA | defoneos-classification.html | 9c2d4e6f… |
| 45 | Data Protection Act 2018: Part 3 law enforcement | UK DPA Part 3 | defoneos-le-processing.html | ad3e5f7a… |
| 46 | Investigatory Powers Act 2016: lawful intercept | UK IPA | defoneos-intercept.html | be4f6a8b… |
| 47 | Proceeds of Crime Act 2002: anti-money laundering | UK POCA | defoneos-aml.html | cf5a7b9c… |
| 48 | Sanctions and Anti-Money Laundering Act 2018 | UK SAMLA | defoneos-aml.html | cf5a7b9c… |
| 49 | Network and Information Systems Regulations 2018 | UK NIS Regs | defoneos-stack.html | 6e9b4a3f… |
| 50 | Defence and Security Industrial Strategy 2021 | UK DSIS | defoneos-mod.html | f6a8c1d2… |
| # | Package | Domain | PyPI |
|---|---|---|---|
| 1 | meok-defoneos-mcp | Core orchestration | meok-defoneos-mcp |
| 2 | meok-defoneos-c2-mcp | Tactical C2 (TAK) | meok-defoneos-c2-mcp |
| 3 | meok-defoneos-isr-mcp | ISR pipeline | meok-defoneos-isr-mcp |
| 4 | meok-defoneos-sentinel-mcp | Satellite (Copernicus) | meok-defoneos-sentinel-mcp |
| 5 | meok-defoneos-os-mcp | Ordnance Survey | meok-defoneos-os-mcp |
| 6 | meok-defoneos-data-gov-uk-mcp | data.gov.uk | meok-defoneos-data-gov-uk-mcp |
| 7 | meok-defoneos-companies-house-mcp | Companies House | meok-defoneos-companies-house-mcp |
| 8 | meok-defoneos-ons-mcp | ONS statistics | meok-defoneos-ons-mcp |
| 9 | meok-defoneos-gdelt-mcp | OSINT news | meok-defoneos-gdelt-mcp |
| 10 | meok-defoneos-openaq-mcp | Air quality | meok-defoneos-openaq-mcp |
| 11 | meok-defoneos-aisstream-mcp | Maritime AIS | meok-defoneos-aisstream-mcp |
| 12 | meok-defoneos-rtsp-mcp | IP camera | meok-defoneos-rtsp-mcp |
| 13 | meok-defoneos-mqtt-mcp | IoT bridge | meok-defoneos-mqtt-mcp |
| 14 | meok-defoneos-cesium-mcp | 3D globe | meok-defoneos-cesium-mcp |
| 15 | meok-defoneos-oscal-mcp | OSCAL SSP | meok-defoneos-oscal-mcp |
| 16 | meok-defoneos-pymavlink-mcp | Drone MAVLink | meok-defoneos-pymavlink-mcp |
| 17 | meok-defoneos-bft-council-mcp | 33-agent BFT | meok-defoneos-bft-council-mcp |
| 18 | meok-defoneos-sign-mcp | Ed25519 SIGIL | meok-defoneos-sign-mcp |
| 19 | meok-defoneos-citation-mcp | Audit citations | meok-defoneos-citation-mcp |
| 20 | meok-defoneos-framing-mcp | Marketing framing | meok-defoneos-framing-mcp |
| 21 | meok-defoneos-morris-worm-mcp | Worm guard | meok-defoneos-morris-worm-mcp |
| 22 | meok-defoneos-openstreetmap-mcp | OSM | meok-defoneos-openstreetmap-mcp |
| 23 | meok-defoneos-nominatim-mcp | Geocoder | meok-defoneos-nominatim-mcp |
| 24 | meok-defoneos-osm-tile-mcp | Tile server | meok-defoneos-osm-tile-mcp |
| 25 | meok-defoneos-cesium-ion-mcp | Cesium Ion API | meok-defoneos-cesium-ion-mcp |
| 26 | meok-defoneos-copernicus-mcp | Copernicus Marine | meok-defoneos-copernicus-mcp |
| 27 | meok-defoneos-ads-b-mcp | Aviation ADS-B | meok-defoneos-ads-b-mcp |
| 28 | meok-defoneos-uk-police-mcp | UK police data | meok-defoneos-uk-police-mcp |
| 29 | meok-defoneos-uk-env-mcp | UK environment | meok-defoneos-uk-env-mcp |
| 30 | meok-defoneos-firms-mcp | NASA FIRMS fire | meok-defoneos-firms-mcp |
/api/oscal contains 18 control implementations with evidence URLs. These are implementer assertions, not SC-cleared independent assessments. Production ATO requires a CREST-accredited auditor's signature.github.com/CSOAI-ORG and runnable on a M2 MacBook. PyPI publication is awaiting Nick's token — see defoneos-gap-analysis.html §2 row 11.tick-48-sigil.json after Vercel deploy + byte-verification."C|defoneos-evidence-vault|2026-07-08|50-citations-12-frameworks-30-mcps-47-ticks-5-honest-rows|Sovereign evidence vault published 8 Jul 2026 ~07:00 BST. 50 canonical citations across 12 frameworks. 30 MCPs indexed. 47 SIGIL ticks anchored. 5-row honest register. Audit-grade. Signed. Tamper-evident. UK-sovereign, AUKUS-compatible."
DEFONEOS · sovereign evidence vault · tick 48 · SHA-512 anchored · verify →