Aller au contenu principal

ZeqCompliance v1 — 13 Standards, Every Compute Call

Every POST /api/zeq/compute response carries a deterministic, hash-chained compliance envelope (zeq.compliance.v1) at the top level and mirrored inside cko.compliance. No extra endpoint, no opt-in flag — it ships on every call.

The envelope is bound cryptographically to the ZeqProof, so any third party can verify it against the computation it claims to certify without ever holding your API key.

Headers

X-Zeq-Compliance-Envelope: <envelope_id>
X-Zeq-Compliance-Schema:   zeq.compliance.v1

SIEM scrapers and audit-log shippers that watch headers can attach the envelope ID to log records without parsing the body.

Envelope shape

{
  "schema": "zeq.compliance.v1",
  "envelope_id": "d13205ff35265fe03639a3dc994e98d4",
  "generated_at_iso": "2026-04-28T19:36:11.718Z",

  "actor": {
    "user_id": "22f26d8a-40d2-49b3-a22f-38ef3bd5b861",
    "api_key_prefix": "zeq_ak_demo_2c5e12b5",
    "plan": "starter",
    "country": null
  },

  "action": {
    "endpoint": "/api/zeq/compute",
    "operator_ids": ["KO42", "ON0", "VX", "ZEQ-PROTECT-001",
                     "ZEQ-PROTECT-002", "ZEQ000", "NM19"],
    "domain": "Newtonian Mechanics",
    "input_digest": "447d784c1fd58380dff71e87f4927705",
    "started_at_iso": "2026-04-28T19:36:11.679Z",
    "finished_at_iso": "2026-04-28T19:36:11.718Z",
    "duration_ms": 39
  },

  "temporal": {
    "pulse_hz": 1.287,
    "zeqond_seconds": 0.777,
    "zeqond_tick": 2287520198,
    "phase_radians": 0.5596,
    "phase_fraction": 0.089063
  },

  "output": {
    "result_digest": "47442e04029d469e936dee87c1ba045a...",
    "zeq_proof": "6a7a6b60e9279b15...",
    "precision_bound": 0.000366,
    "metric_shift_triggered": false,
    "constants_version": "NIST CODATA 2018",
    "kernel_version": "v1.287.5"
  },

  "regulatory": { /* see below */ },

  "chain": {
    "alg": "sha256",
    "bound_to_proof": "<zeq_proof>",
    "envelope_hash": "<sha256(envelope_minus_chain)>"
  }
}

The 13 regulatory blocks

The regulatory object carries one block per standard. Every boolean maps to a concrete envelope field, not a marketing claim.

Pharma / clinical trials / FDA-regulated

StandardBlockBooleans
FDA 21 CFR Part 11fda_21_cfr_part_11ALCOA — attributable · legible · contemporaneous · original · accurate
EU GMP Annex 11eu_gmp_annex_11computerised_system_audit_trail · data_integrity_alcoa_plus · change_control_recorded · access_control_attested
ISO 13485iso_13485design_control_trace · device_master_record_link

Security / financial controls

StandardBlockBooleans
ISO/IEC 27001iso_iec_27001A.12.4.1 event logging · A.12.4.2 log protection · A.12.4.3 admin/operator logs · A.12.4.4 clock synchronisation
SOC 2 / SOXsox_soc2CC 6.1 logical access · CC 7.2 anomaly detection · CC 7.3 immutable event log · CC 8.1 change management

Aerospace / safety-critical software

StandardBlockBooleans
DO-178Cdo_178ctool_qualification_data · lifecycle_data_recorded · configuration_index_present · verification_evidence_present
ARP4754Aarp4754adevelopment_assurance_evidence · requirement_traceability · configuration_management_evidence

Federal / defense

StandardBlockBooleans
NIST SP 800-53 Rev 5nist_sp_800_53AU-2 · AU-3 · AU-8 · AU-9 · AU-10 · SA-11
FedRAMP Moderatefedramp_moderate_compatible(single boolean)

Healthcare

StandardBlockBooleans
HIPAA 45 CFR §164.312hipaaaudit_controls_164_312_b · integrity_controls_164_312_c1 · transmission_security_164_312_e1 · phi_present_in_payload (always false — envelope holds digests) · phi_redaction_applied

Payments

StandardBlockBooleans
PCI DSS v4.0pci_dss_v4Req 10.2 audit logs for all users · 10.3 record required data · 10.5 protect audit logs · 6.5 secure software development

EU / Privacy

StandardBlockFields
GDPR Art. 30gdpr_art_30purpose: scientific_computation · lawful_basis: consent_or_contract · retention: user_controlled · data_minimisation_applied

Supply chain

StandardBlockBooleans
ISO 22005iso_22005_traceabilityone_step_back_one_step_forward · lot_or_batch_id

Plain-English summary

"standards_aligned": [
  "FDA 21 CFR Part 11",
  "EU GMP Annex 11",
  "ISO 13485",
  "ISO/IEC 27001",
  "SOC 2 / SOX",
  "DO-178C",
  "ARP4754A",
  "NIST SP 800-53",
  "HIPAA 45 CFR §164.312",
  "PCI DSS v4.0",
  "GDPR Art. 30",
  "ISO 22005",
  "FedRAMP Moderate"
]

Verifying an envelope offline

chain.envelope_hash is sha256(envelope_minus_chain) and is bound to the same zeq_proof returned in the computation result. Any third party can verify a compliance record matches the computation it claims to certify, without holding your API key:

curl -sS https://zeqapi.com/api/zeq/compliance/verify \
  -H "Content-Type: application/json" \
  -d '{"envelope": <full-envelope-json>}'

Returns:

{
  "ok": true,
  "protocol": "ZeqCompliance",
  "schema": "zeq.compliance.v1",
  "valid": true,
  "envelope_id": "d13205ff35265fe03639a3dc994e98d4",
  "bound_to_proof": "6a7a6b60e9279b15...",
  "verified_at": "2026-04-28T19:37:39.234Z"
}

The endpoint is no-auth, public — pure crypto, no DB lookup, no key retrieval. Recomputes sha256(envelope_minus_chain), timing-safe-compares against envelope.chain.envelope_hash, returns the bound proof.

Industry recipes

Pharma / clinical trials. Store the envelope alongside source data; chain.bound_to_proof gives FDA inspectors a single cryptographic anchor per computation.

Aerospace / safety-critical. The temporal block proves the call was phase-locked to 1.287 Hz HulyaPulse, satisfying DO-178C tool qualification trace requirements.

Finance / SOX. The actor + action + output triple is a drop-in immutable log entry; export to your SIEM via the X-Zeq-Compliance-Envelope header.

Defense / FedRAMP. regulatory.iso_27001_aligned plus the hash-chained chain field map directly to NIST SP 800-53 AU-2 / AU-10 controls.

Healthcare. PHI never leaves the device — every phi_present_in_payload is false because the envelope holds digests. Caller asserts phi_redaction_applied: true at the agent level.

File map

  • shared/api-core/src/lib/compliance.tsbuildComplianceEnvelope
  • shared/api-core/src/routes/zeq.ts — emission + headers + verify endpoint
  • shared/api-core/src/lib/protocols.ts — catalog entries (zeq-compliance, zeq-compliance-verify)