diff --git a/src/components/docs/nav.ts b/src/components/docs/nav.ts index 0a53669..89ace5a 100644 --- a/src/components/docs/nav.ts +++ b/src/components/docs/nav.ts @@ -491,6 +491,11 @@ export const DOCS_NAV: DocsSection[] = [ label: 'Bond verification', blurb: 'GET /api/bond — re-resolve a bond against live bitcoin UTXO state. The load-bearing leg.', }, + { + href: '/fleet/compliance', + label: 'Compliance crosswalk', + blurb: 'Fleet artifacts mapped to EU AI Act / SOC 2 / NIST AI RMF — with honest rails. The procurement exit.', + }, { href: '/fleet/webhooks', label: 'Webhooks', diff --git a/src/pages/fleet/compliance.mdx b/src/pages/fleet/compliance.mdx new file mode 100644 index 0000000..bccc23a --- /dev/null +++ b/src/pages/fleet/compliance.mdx @@ -0,0 +1,72 @@ +export const metadata = { + title: 'Fleet compliance crosswalk', + description: + 'How OC Fleet artifacts — signed delegations, stamped actions, revocations, bonded pledges, and offline-verifiable audit bundles — map to EU AI Act, SOC 2, and NIST AI RMF controls. Evidence infrastructure, stated honestly: what it gives an auditor, and what it explicitly does not.', +}; + +# Compliance crosswalk + +Enterprise AI-agent rollouts stall in the same place: a compliance reviewer asks +_who authorized this agent to do that, what was it allowed to do, when was it +revoked, and what does it have to lose if it misbehaves_ — and the team cannot +answer with evidence that survives scrutiny. Service accounts collapse the +user→agent→tool chain into one shared credential, which is the SOC 2 CC6 finding +auditors now reject outright. + +Fleet's artifacts are built to answer those questions with **content-addressed, +BIP-322-signed, OpenTimestamps-anchored evidence that verifies offline against +Bitcoin** — no trust in fleet required. This page maps each control family to +the artifact that satisfies it. + +## Read this first — the honesty rails + +These four statements bound everything below. Quote them to your reviewer; they +are the difference between an honest control and an overclaim. + +1. **Fleet is evidence infrastructure, not a compliance guarantee.** It produces + the audit trail a framework asks for. It does not certify you against any + framework. Your auditor still audits you. +2. **Protocol cannot transfer liability.** A bonded pledge is verifiable + economic exposure, not an indemnity. No envelope makes someone else legally + responsible for an agent's act. +3. **Fleet is not a real-time kill-switch.** Revocation is a signed, anchored + fact that any verifier honors going forward; it is not an in-band interceptor + that halts a running tool call. Fleet **composes under** your runtime + guardrails and observability stack — it does not replace them. +4. **A bond proves skin-in-the-game, not good behavior.** It raises the cost of + misbehaving and makes that cost verifiable. It does not prevent the act. + +## EU AI Act + +| Article | Requirement | Fleet artifact | +| ------------------------------------------ | ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Art. 12 — Record-keeping** | Automatic logging of events over the system's lifetime, tamper-evident. | Every action is a kind-30084 envelope: content-addressed, BIP-322-signed by the agent, OTS-anchored to a Bitcoin block. The audit bundle is the lifetime log; the block anchor is the tamper-evidence. | +| **Art. 14 — Human oversight** | A human can understand, oversee, and intervene. | Authority originates in a **human-signed** delegation (BIP-322 over the principal's Bitcoin address) with an explicit scope grammar and a block-height expiry; intervention is a human-signed **revocation** envelope. Oversight is the scoped grant; intervention is the signed revoke. | +| **Art. 14 — Traceability of intervention** | Ordering of act vs. intervention is non-repudiable. | OTS block-height anchoring gives an offline verifier a non-malleable clock to order an action against its revocation deterministically — a signed wall-clock is forgeable, a block height is not. | + +## SOC 2 + +| Criterion | Requirement | Fleet artifact | +| ------------------------------------------ | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **CC6.1 — Logical access** | Least-privilege, per-identity access; no shared credentials. | Each agent acts under its **own** Bitcoin-address identity and its **own** scoped delegation — the opposite of a shared service account. Scope is an explicit, attenuable grammar, not "all of the API". | +| **CC6.2 / CC6.3 — Provisioning & removal** | Authorization is granted and revoked through a controlled, evidenced process. | Grant = signed delegation; removal = signed revocation. Both are first-class, exportable, offline-verifiable envelopes — the provisioning record _is_ the artifact. | +| **CC7.2 / CC7.3 — Monitoring & evidence** | Immutable, exportable activity logs. | NDJSON / JSON / CSV audit-bundle export; every row re-verifies against the agent's signature and the Bitcoin header chain with `@orangecheck/agent-core`. | + +## NIST AI RMF + +| Function | What fleet contributes | +| ----------- | -------------------------------------------------------------------------------------------------------------------------------------- | +| **GOVERN** | A named, address-keyed authority model: who delegated, to whom, with what scope, with what bond. | +| **MAP** | The scope grammar makes an agent's permitted actions explicit and enumerable before deployment. | +| **MEASURE** | The bond gives a measurable, chain-verifiable stake (`sats × days_unspent`); the action stream gives in-scope vs. out-of-scope counts. | +| **MANAGE** | Scoped, revocable authority + a bonded accountability signal that a counterparty can weigh — without custody, without an account. | + +## The bond as a control + +Most frameworks above are satisfied by _capability + audit_, which an ordinary +keypair could also provide. The differentiator that needs Bitcoin is the +[bond](/fleet/bond): a counterparty can verify the agent (or the org running it) +has real, unspent, aged bitcoin exposure to losing — re-resolved live against +UTXO state, trusting no one. That is the one control on this page that does not +reduce to a verifiable credential. See [Bond verification](/fleet/bond) for the +contract and its honest limitations.