Evidence packs

A claim pack is a declarative rule set that turns the CGF graph into a verdict. Each pack is small, versioned and shipped under src/lib/cgf/claim-packs/. v1.0 ships four packs.

EU AI Act — high-risk

The flagship pack. Covers the three articles that matter to high-risk AI providers:

| Article | What CGF checks | |---|---| | Art. 9 — Risk management | Every Model has at least one Risk covered by a Control implementing a Policy. | | Art. 13 — Transparency | Every public Endpoint exposes a Disclosure node. | | Art. 15 — Accuracy, robustness, cybersecurity | Models have Evidence of evaluation and a Deploy approval gating production. |

Violations include both a structured machine field and a human-readable narrative so auditors and engineers can read the same report.

Example structured violation:

{
  "pack": "eu-ai-act-high-risk",
  "rule": "art-9.risk-coverage",
  "severity": "error",
  "subject": { "type": "Model", "id": "models/triage-v3" },
  "missing":  { "edge": "Risk → applies_to → Model" },
  "narrative": "Model `triage-v3` has no Risk node covering it. EU AI Act Art. 9 requires a documented risk management system for every high-risk model."
}

GDPR Article 30

Records of processing activities, generated automatically from Endpoint → reads → Dataset edges where the dataset carries a personal-data tag. The pack emits:

• legal basis (lawful_basis),
• retention period,
• recipients and cross-border transfers,
• a per-endpoint Article 30 table.

SOC 2 — Common Criteria

Coverage of CC1–CC9 mapped to controls in your graph. Gaps surface as missing Control → mitigates → Risk edges. The same Control node can satisfy SOC 2 CC and EU AI Act Art. 9 simultaneously — the graph is the single source of truth.

CGF-JP — Japan regional profile

A strict superset of CGF v1.0. Adds four node types (JP.Ringi, JP.Hanko, JP.NemawashiTrace, JP.HankoCert), five edge types (stamps, precedes, escalates_to, ratifies, attested_by), and four packs (jp-meti-aibg, jp-appi-art27, jp-fsa-mrm, jp-aisi-eval). The bridge synthesizer turns completed ringi into core Approval nodes so the EU AI Act gating works on Japanese workflows unchanged.

See the CGF-JP launch post.

Writing your own pack

A pack is a TypeScript module exporting a ClaimPack:

import type { ClaimPack } from '@/lib/cgf';

export const myPack: ClaimPack = {
  id: 'acme-internal-v1',
  rules: [
    {
      id: 'every-endpoint-has-owner',
      severity: 'error',
      run: (g) =>
        g.nodes('Endpoint')
          .filter((e) => !g.edges(e, 'owned_by').length)
          .map((e) => ({
            subject: e,
            missing: { edge: 'Endpoint → owned_by → Actor' },
            narrative: `Endpoint ${e.id} has no owner.`,
          })),
    },
  ],
};

Rules are pure functions over the graph. No IO. The pack is deterministic by construction.

Reading next

• CGF in 5 minutes.
• The .cgfevidence bundle format.
• Whitepaper: Alignment by Construction.