Evidence Room Index
A buyer-safe evidence-room map for DEFONEOS: which proof object to send, which claims are live, which are draft, and which require Nick as the owner gate.
Evidence-room purpose
A buyer should not need to trawl 200 pages. This index turns the DEFONEOS estate into a clean evidence room: what exists, what it proves, what is draft, and what needs owner validation.
- Use this page when a buyer asks for proof, security, route to procurement, or governance.
- Send the smallest evidence bundle that answers the question. Do not send the whole estate.
- Mark every artefact as live, draft, illustrative, or owner-gated.
- Keep sensitive operational material out of public links.
- Use the honesty status column when writing emails.
Evidence-room shelf map
The shelf map is the default order for a buyer due-diligence folder.
| Shelf | Contents | Status |
|---|---|---|
| Identity and supplier | Company number, public contact, registered office, domain ownership, responsible owner | Owner verified before send |
| Security posture | Cyber Essentials status, CE Plus plan, retention controls, access controls, incident path | Human-gated for CE certification |
| AI governance | JSP 936 mapping, human oversight, transparency, red-line register, BFT governance route | Designed and documented |
| Technical proof | MCP registry, 240-test references where available, Vercel byte-verification, deployment logs | Live pages plus local evidence |
| Commercial | Pricing card, 90-day pilot SoW, payment milestones, procurement vehicles | Draft unless buyer validates route |
| Case studies | Illustrative public-service scenarios, no classified or sensitive operational data | Illustrative only |
| Provenance | SIGIL files, SHA hashes, sitemap entries, C2PA-ready media notes | Local plus ledger when reachable |
| Owner gates | DSP, SC, CE Plus, DASA, DIANA, UKDI, first send | Nick action required |
Core links to send
These are the links most likely to move a buyer from curiosity to validation.
- Launch surface: https://csoai-static-deploy2.vercel.app/defoneos
- Evidence vault: https://csoai-static-deploy2.vercel.app/defoneos-evidence-vault
- JSP 936 page: https://csoai-static-deploy2.vercel.app/defoneos-jsp936
- Procurement vehicles: https://csoai-static-deploy2.vercel.app/defoneos-10-procurement-vehicles
- Pricing card: https://csoai-static-deploy2.vercel.app/defoneos-mod-pricing-card-onepager
- Pilot SoW: https://csoai-static-deploy2.vercel.app/defoneos-mod-90-day-sovereign-pilot-sow
- Follow-up sequence: https://csoai-static-deploy2.vercel.app/defoneos-mod-48h-follow-up-sequence
Evidence bundle recipes
Send one of these bundles instead of improvising.
| Buyer question | Bundle | Email line |
|---|---|---|
| Can this pass governance | JSP 936, AI governance, red-line register, evidence vault | The governance layer is designed first. These links show the control map and the honesty register. |
| What does it cost | Pricing card, 90-day pilot SoW, deal economics | The cleanest route is a capped 90-day pilot with explicit milestones. |
| Is it sovereign | Sovereignty page, deployment comparison, data room index | The surface is UK-sovereign by design and separates public facts from owner-gated evidence. |
| Can we see a demo | Live demo fallback script, digital twin page, sensor layer | The public demo is intentionally non-sensitive and excludes personal surveillance. |
| Who signs assurance | BFT council page, DEFONEOS-SEAL register, honesty register | The credential is not issued without quorum. This page shows the route, not a false certificate. |
Due-diligence checklist
Before sending an evidence-room bundle, run these checks.
- All links return HTTP 200 from the canonical Vercel alias.
- No link claims a third-party certification that has not been granted.
- No link contains Dagon, Terranova, CSGA, James Castle, or defonos.io contamination.
- No page includes kinetic targeting, personal surveillance, or controlled technical data.
- The buyer receives a clear owner next step, not a vague browse request.
Evidence-room manifest block
Paste this into a buyer email when asked for proof.
DEFONEOS evidence room — public links only 1. Governance: /defoneos-jsp936 and /defoneos-compliance-crosswalk 2. Security posture: /defoneos-security and /defoneos-threat-model 3. Sovereignty: /defoneos-sovereignty and /defoneos-deployment-comparison 4. Commercial: /defoneos-mod-pricing-card-onepager and /defoneos-mod-90-day-sovereign-pilot-sow 5. Pilot route: /defoneos-mod-meeting-notes-to-sow 6. Provenance: /defoneos-evidence-vault and tick-67-sigil.json Honesty: live public evidence, draft commercial route, owner-gated certifications, no endorsement claim.
Byte-verification protocol
Before sending a buyer to an artefact, verify that the canonical alias serves the same bytes as the local file. This avoids the stale-alias trap.
cd /Users/nicholas/clawd/csoai-static-deploy2
for p in defoneos-mod-pricing-card-onepager.html defoneos-mod-90-day-sovereign-pilot-sow.html defoneos-mod-meeting-notes-to-sow.html; do
local_bytes=$(wc -c < "$p")
remote_bytes=$(curl -sL "https://csoai-static-deploy2.vercel.app/${p%.html}" | wc -c)
code=$(curl -sL -o /dev/null -w "%{http_code}" "https://csoai-static-deploy2.vercel.app/${p%.html}")
echo "$p local=$local_bytes remote=$remote_bytes http=$code"
doneIf the values differ, redeploy before sending. A 308 on the .html route is normal because cleanUrls redirects to the extensionless path.
Evidence status vocabulary
Use this exact vocabulary in emails and proposals.
| Status | Meaning | Allowed phrase | Forbidden phrase |
|---|---|---|---|
| LIVE | Public page or artefact returns HTTP 200 and byte matches local source. | Live public artefact | Certified evidence |
| DRAFT | Content prepared but not submitted to a buyer or authority. | Draft for owner review | Application submitted |
| DESIGNED | Control or workflow has a documented design but no external exercise yet. | Designed control path | Operationally proven |
| OWNER-GATED | Requires Nick personal, company, payment, or authentication action. | Owner-gated next step | Completed by agent |
| ILLUSTRATIVE | Scenario or case study used for explanation only. | Illustrative non-sensitive scenario | Real MOD case study |
Buyer due-diligence questions and answers
| Question | Evidence-room answer | Honesty guardrail |
|---|---|---|
| Are you accredited? | Show governance route, Cyber Essentials gate, and DEFONEOS-SEAL process. | Do not claim completed accreditation before owner gate. |
| Can you handle classified data? | Explain public-source and synthetic demo boundary, plus future secure route. | Do not accept classified data in the public pilot. |
| Are you replacing existing platforms? | Position as sovereign evidence and integration layer that can sit beside incumbent systems. | Do not claim rip-and-replace. |
| What is open source? | Explain open sovereign surface, MCP architecture, and public proof links. | Do not imply all buyer integrations are public. |
| How do we procure? | Route through DASA, G-Cloud, prime partner, direct award threshold, or discovery. | Buyer must validate procurement path. |
12-framework crosswalk
Every page in this tick is written as an owner-executable artefact and an audit trail. These mappings are design mappings, not third-party certifications.
| Framework | How this page maps | Honesty status |
|---|---|---|
| EU AI Act | Transparency, human oversight, logging, post-market monitoring, and high-risk discipline when a workflow crosses into regulated public-service use. | Designed control language. Verify per-buyer before external submission. |
| GDPR and UK GDPR | Data minimisation, lawful basis notes, retention windows, subject-access response path, and no personal-surveillance pattern. | Designed control language. Verify per-buyer before external submission. |
| JSP 936 | Assurance case language, operator accountability, safety case evidence, and escalation logging suitable for UK defence AI review. | Designed control language. Verify per-buyer before external submission. |
| JSP 440 | Protective marking, supplier-security posture, evidence handling, and separation of public facts from owner-gated sensitive data. | Designed control language. Verify per-buyer before external submission. |
| NIST AI RMF | Map, Measure, Manage, and Govern rows for every buyer artefact, with clear residual-risk ownership. | Designed control language. Verify per-buyer before external submission. |
| ISO 42001 | AI management-system controls, role ownership, change control, review cadence, and documented competence. | Designed control language. Verify per-buyer before external submission. |
| NIST PQC | Cryptographic-agility language, no false PQC certification claim, and upgrade path for signed evidence bundles. | Designed control language. Verify per-buyer before external submission. |
| NATO STANAG | Interoperability language only, no NATO endorsement claim, and neutral alliance-compatible evidence formatting. | Designed control language. Verify per-buyer before external submission. |
| AUKUS Pillar II | AUKUS-compatible technology framing only, no partnership claim unless a signed letter exists. | Designed control language. Verify per-buyer before external submission. |
| OSCAL | Machine-readable control catalogue and component-definition path for the evidence room. | Designed control language. Verify per-buyer before external submission. |
| Five Eyes export discipline | Public-source and EAR ITAR awareness note, no controlled technical data in the page. | Designed control language. Verify per-buyer before external submission. |
| C2PA 2.0 | Content provenance, artefact signing, and media lineage notation for decks, screenshots, and demo recordings. | Designed control language. Verify per-buyer before external submission. |
Honesty register
The register below is deliberately explicit so the artefact stays usable in a UK-sovereign procurement conversation without overclaiming.
- This page is an executable owner pack, not legal advice and not a government endorsement.
- AUKUS-compatible means design compatibility only. No AUKUS partnership is claimed without a signed letter on file.
- DEFONEOS-SEAL is not issued here. Any credential requires the 33-agent BFT council quorum and owner gate.
- No kinetic-targeting, find-fix-finish, kill-order, face-recognition, phone-location, or individual-tracking pattern is included.
- Buyer names and public bodies are routing examples from public procurement context. Nick must verify the current named contact before sending.
- SIGIL anchor is local until the SOV3 ledger endpoint is reachable from this Mac session.
- Generated 2026-07-11T08:01:33Z. File slug: defoneos-mod-evidence-room-index.