# EU AI Act Agent Trust Contract v0 This repository implements a narrow trust contract over the Sovrient EU AI Act v1.0 standards twin. The system does not claim to be a lawyer, compliance assessor, or general legal reasoning engine. It resolves and cites bounded legal fragments, then rejects outputs that imply more than the evidence permits. ## Claim Boundary This controller resolves and cites the EU AI Act through the standards-twin resolver layer. It does not interpret, advise, classify systems, determine compliance, establish conformity, or substitute for counsel. That boundary is enforced before routing and again at synthesis validation: - advisory/application-shaped queries refuse before resolver access, - unknown structural targets fail closed as `unsupported_resolution`, - cited nodes carry `node_id`, `text_digest`, `source_twin_digest`, and parent provenance where present, - cited spans must be substrings of validated payload nodes, - model-shaped `llm_drafted` prose can pass only if it is grounded in validated cited spans and contains no unsupported advisory or interpretive residue. ## Digest Chain The current trust path is intentionally layered: 1. `source_twin_digest` pins the published EU AI Act v1.0 standards twin. 2. `bundle_digest` pins a multi-node evidence bundle produced by the skills layer. 3. `response_digest` pins the agent controller output, including route, boundary classification, citations, payload, and claim boundary. 4. `synthesis_digest` pins the bounded synthesis draft and its cited spans. 5. `graph_digest` pins the graph run that joins controller response, citation validation, synthesis, and synthesis validation. 6. `report_digest` and `manifest_digest` pin replay/eval artifacts for third-party verification. Each digest is over the artifact at that layer. The layers are not interchangeable: a valid final graph digest does not remove the need to verify the source twin, response, cited spans, and synthesis report. Verifier manifests also record the `ai-act-agent` and `ai-act-skills` commits plus dirty flags so replay does not depend on out-of-band repository state. ## Difference From Ordinary RAG Ordinary RAG usually asks whether retrieved text looks relevant and whether the final answer displays a citation. This agent asks a stricter question: what is the output permitted to make someone believe, and can that permission be verified from artifacts without trusting the model? The practical differences are: - citations are not just display text; they are typed fingerprints over content-addressed nodes, - the synthesis layer treats the model draft as untrusted until validation passes, - multi-citation evidence bundles require span coverage for every cited node, - eval and verifier artifacts are written with SHA-256 sidecars in `sha256sum -c` format, - the built-in verifier replays source-twin membership, evidence-bundle construction, validation predicates, graph consistency, manifest consistency, and eval reports, - verifier bundles can carry a detached GPG signature over `manifest.json`, - claim boundaries are part of the serialized output, not just UI copy. ## Current Scope The current passing synthesis mode is `extractive_local`. The `llm_drafted` mode is schema-valid and can pass only under the grounding predicate in `synthesis.py`. This keeps the model integration path open while preserving the existing trust contract. The system is a working vertical slice of a public verifier pattern. It is not yet an internet-scale evidence registry, a legal advice service, an EU AI Act conformity assessment, or an official benchmark result.