# EU AI Act Verifier Bundle This directory publishes a signed, replay-verifiable Sovrient AI Act agent output bundle for one bounded evidence-bundle query: ```text Build evidence bundle for sv:eu-ai-act/article/113 and sv:eu-ai-act/annex/III. ``` The bundle verifies the integrity and replayability of the included evidence bundle and its claim boundaries. It is not legal advice, not an EU AI Act compliance determination, not a conformity assessment under the EU AI Act or any national implementing measure, not an official benchmark score, and not a substitute for counsel, regulators, or conformity assessment bodies. ## Files - `ai-act-article-113-annex-iii-33aeab7.tar.gz`: signed verifier bundle archive. - `ai-act-article-113-annex-iii-33aeab7.tar.gz.sha256`: archive byte checksum. - `TRUST_CONTRACT_v0.md`: trust-contract summary for the verifier artifact. - `VERIFIER_ARTIFACTS_v0.md`: operational verifier guide and replay-check list. - `RUNBOOK.md`: reviewer preflight, commands, expected output, and common failures. - `KEY_POLICY.md`: signer identity, verification, and rotation policy for this bundle. No checksum sidecar is published for `index.html`; Cloudflare may inject edge scripts into served HTML. Use the sidecars for the downloadable verifier artifacts and Markdown governance files. ## Digest Surface - Source twin digest: `sha256:6b9164ebffdbd788cfebfc074d75c7eb82b02efaa340b10c4f7439b3636e9bf9` - Bundle archive SHA-256: `67eb9e44766e296bf97a80eea4f28c878eeea65eb2d0274f7564974fa8c48e77` - Bundle manifest digest: `sha256:0f12848f9ed6f70392ec51a9531ac3782df7f6a6bb138aaca410c02149b25870` - Verification report digest: `sha256:c9437298367448e82bca2b9db858e1dd675a79a0f40090d6cea7eb292933fb6d` - AI Act agent commit: `33aeab75ace7cac2120928b927b34f21815d368a` - AI Act skills commit: `dbaef1bfa80a17e5a4907a1dab404d5798b41fd3` - GPG key fingerprint: `231DF589D89C25FAD7A8E8E685F9BA1E0016C226` `source twin` means the digest of the published Sovrient EU AI Act v1.0 standards twin used as the source substrate for this bundle. The GPG fingerprint is the Sovrient EU AI Act Verifier release key for this bundle; see `KEY_POLICY.md` and compare the full fingerprint against an out-of-band source before relying on the signature. ## Verify Requires Python 3.11+, `pip`, `gpg`, `curl`, `sha256sum`, and an `ai-act-agent` checkout with `ai-act-skills` checked out as a sibling directory. Run from the `ai-act-agent` checkout: ```bash gpg --keyserver hkps://keys.openpgp.org \ --recv-keys 231DF589D89C25FAD7A8E8E685F9BA1E0016C226 python3 -m pip install -r requirements-dev.txt curl -O https://www.sovrient.com/standards/eu/ai-act/1.0/verifier/ai-act-article-113-annex-iii-33aeab7.tar.gz curl -O https://www.sovrient.com/standards/eu/ai-act/1.0/verifier/ai-act-article-113-annex-iii-33aeab7.tar.gz.sha256 sha256sum -c ai-act-article-113-annex-iii-33aeab7.tar.gz.sha256 tar -xzf ai-act-article-113-annex-iii-33aeab7.tar.gz gpg --verify ai-act-article-113-annex-iii-33aeab7/manifest.json.sig \ ai-act-article-113-annex-iii-33aeab7/manifest.json python3 -m ai_act_agent.cli verify ai-act-article-113-annex-iii-33aeab7 \ --require-eval \ --require-signature ``` The expected verifier result is `PASS` with all replay checks true and empty `check_reasons`. Minimal expected shape: ```json { "result": "PASS", "manifest_digest": "sha256:0f12848f9ed6f70392ec51a9531ac3782df7f6a6bb138aaca410c02149b25870", "report_digest": "sha256:c9437298367448e82bca2b9db858e1dd675a79a0f40090d6cea7eb292933fb6d", "check_reasons": {} } ``` ## What This Proves A passing strict verification proves that the downloaded bundle bytes match their sidecars, the manifest and graph digests replay, cited evidence resolves against the published EU AI Act v1.0 source twin, validation predicates pass, the eval report replays, and the manifest signature verifies against the named release key. It does not prove that a system is compliant with the EU AI Act, that a conformity assessment has occurred, that regulators endorse the result, or that the bundle is an official benchmark score.