DSG

DSG ONE

ProofGate Control Plane

Pre-Audit Compliance Documentation

AI Governance
Compliance Evidence Pack

Formal proofs, WORM audit trail evidence, 2173 automated test assertions, CCVS v1.2 evidence chain, EU AI Act Annex IV mapping, and ISO 42001 control references — structured for pre-audit submission to your board, compliance team, or procurement review.

certificationClaim = false · independentAuditClaim = false · For pre-audit internal use only

What's Inside

Six sections of verifiable evidence

Every claim references a specific source file and test. Nothing is hand-wavy.

8 theorems · 0 failed

Formal Verification

8 Z3 theorems proved UNSAT (5 core policy + 3 DeFi constraints) — policy invariants, revenue model, and billing logic. Every theorem verified by asserting its negation: UNSAT means no counterexample exists for any possible input.

🔐2173 assertions verified

WORM Audit Trail

Write-Once SHA-256 hash chain: requestHash → decisionHash → recordHash → bundleHash. Optional HMAC-SHA256 signing. Tamper-evident — any field change cascades to all downstream hashes.

🧪+59% vs baseline

Automated Test Evidence

2173 tests across 229 files covering gateway invariants, WORM idempotency, evidence bundle signing, approval lifecycle, security primitives, and provider dispatch. Mutation score 72.08% (191/265 killed) verified by Stryker.

📋Art. 9 · 12 · 14 · Annex IV

EU AI Act Mapping

Art. 9 (Risk Management), Art. 12 (Record Keeping), Art. 14 (Human Oversight), Annex IV (9-item technical documentation checklist) — each mapped to DSG ONE controls with test evidence. Live at GET /api/compliance-evidence-pack/annex4.

🏛️6 controls mapped

ISO/IEC 42001 Controls

AI Management System alignment: A.6.1.1 (AI Policy), A.6.2.2 (Risk Assessment), A.6.2.3 (High-Risk Approval), A.9.1 (Monitoring), A.9.3 (Audit Logging), A.10.1 (Continual Improvement).

⚠️Required disclaimer

Evidence Boundary

certificationClaim = false · independentAuditClaim = false. This pack is for internal pre-audit preparation only. All source code and tests are reproducible from the public repository.

Use Cases

Who uses this pack

Procurement Teams

Download and share with your InfoSec or compliance reviewers when evaluating AI governance tooling. Pack answers: "How is policy enforced?" and "How is audit evidence produced?"

Compliance Officers

Map DSG ONE controls against your EU AI Act Article 12/14 obligations or ISO 42001 implementation. Pack provides pre-mapped control references with test evidence citations.

Board / Audit Committee

One-page executive summary format: formal proofs, test pass rate, hash-chain architecture, and regulatory mapping — without requiring technical expertise to interpret.

Methodology

Why "formally verified" is specific here

Most tools use "formally verified" loosely. DSG ONE is specific:

SMT-LIB 2 / Z3 — structural policy invariants

Gateway policy is encoded as a satisfiability problem in SMT-LIB 2 format and checked by the Z3 solver. Each of the 8 policy theorems is proved by asserting its negation — if Z3 returns UNSAT, no input combination can violate the invariant. This is not testing; it is exhaustive over all possible inputs.

2173 automated tests · 72.08% mutation score

Tests cover the gap between what Z3 proves (structural properties) and what runs in production (database interactions, authentication, HTTP routing, hash chain construction). Every WORM transition, approval lifecycle step, and security primitive has explicit assertions. Stryker mutation testing verified 191/265 mutants killed (72.08%) — gate at ≥70%.

WORM hash chain — tamper-evident by construction

requestHash → decisionHash → recordHash is not a database flag — it is a cryptographic chain. Altering any input field changes the hash, which changes all downstream hashes, which invalidates the bundleHash. This structure satisfies EU AI Act Art. 12 logging requirements by construction, not by policy.

Academic publication

Zenodo DOI

10.5281/zenodo.18225586

DSG ONE methodology is published on Zenodo (CERN/OpenAIRE open-access repository) and citable as peer-referenced research. The cryptographic evidence chain design, CCVS evidence severity levels, and policy theorem approach are documented with DOI — independently referenceable by auditors.

View on Zenodo (doi.org) →

DSG MCP Server

Gate AI actions before they run — inside Claude or Cursor

DSG ONE exposes a Model Context Protocol (MCP) server. Any MCP-compatible AI tool (Claude, Cursor) can route commands through the policy gate before execution. Every call produces an evidence envelope — auditable, hash-chained, and exportable. This is governance applied before the AI acts, not after.

Ready to generate your evidence pack?

Opens a printable HTML report with all six sections. Use browser "Print → Save as PDF" or click the PDF button.

certificationClaim = false · independentAuditClaim = false