Skip to main content

Open catalogue, JSON schemas, source-bound act profiles, and CC0 conformance vectors for machine-readable organisational acts.

Project description

ActProof Events

ActProof Events is an open standard for turning a regulated act into a receipt that a third party can verify without trusting the issuer or any intermediary.

When an organization reports a regulated act, the report is a claim. A DORA incident notification, an EUDR due diligence statement, a NIS2 management body approval are all such reports. Whoever relies on one of them today trusts the issuer who wrote it, and the platform that carried it. ActProof Events removes both points of trust. The act becomes a receipt that is cryptographically anchored to a public ledger and bound to the official text of the regulation it claims to satisfy. Correctness becomes something you check, not something you are asked to believe.

This repository holds the standard, the schemas, the catalogue of act profiles, and the conformance test vectors. The companion package actproof holds the substrate that mints, anchors, and verifies the receipts themselves.

How verification works

A regulated act has three things a relying party needs to be sure of. ActProof Events answers each one separately.

Provenance. Every act profile cites the official sources it draws from by stable identifier, and pins the SHA-256 hash of each one. A reader can fetch the same official document, hash it, and confirm the profile was built against the published law and not a paraphrase of it. This is mechanical. No judgement is involved.

Schema conformance. Every catalogue entry ships with conformance test vectors. An implementation runs the vectors and gets a deterministic pass or fail. Two independent implementations that both pass produce byte-identical receipts. This is mechanical too.

Faithfulness. Whether a profile's data model honestly reflects what the regulation requires is a question of judgement, and judgement cannot be hashed. ActProof Events does not hide this. Every source-bound profile ships a transparency note that records, in plain language, what the law requires, how the profile's fields map to it, and every interpretive decision that was made. The note is open. Anyone can read it and disagree.

The standard's position is simple. Check us, do not trust us. Provenance and conformance are checkable by machine. Faithfulness is checkable by a human reading an open transparency note against the open text of the law. Nothing relies on trusting this project.

What this package ships

actproof-events is a Python package with no required runtime dependencies. Installing it gives a consuming application the following, as bundled data:

  • The act-profile catalogue. JSON catalogue entries, one per regulated act, each describing the act's claim fields, evidence requirements, and source bindings.
  • The JSON Schemas that define the structure of a catalogue entry, so a consumer can validate the entries it loads.
  • The conformance test vectors, one companion file per catalogue entry, released CC0 so any implementation can use them as a shared conformance suite with no licensing friction.
  • The specification text, together with the vocabularies, the schema versioning policy, and the catalogue loader contract, bundled so an installed copy carries the standard it implements.

The package exposes a small, typed API for locating this data:

from actproof_events import (
    get_catalogue_path,
    get_schema_path,
    get_spec_path,
    list_catalogue_entries,
    __version__,
    __spec_version__,
)

# Every authoritative catalogue entry, as a sorted list of Path objects.
# Deprecated entries and test-vector files are excluded by default.
for entry_path in list_catalogue_entries():
    print(entry_path.name)

# The bundled JSON Schema for catalogue entries.
schema_path = get_schema_path("act_profile.v3")

# The bundled specification text.
spec_path = get_spec_path()

# The catalogue directory, if you would rather walk it yourself.
catalogue_dir = get_catalogue_path()

__version__ is the package version. __spec_version__ records which revision of the specification the installed package embodies. The companion documents are reachable the same way, through get_vocabularies_path, get_schema_version_policy_path, and get_contract_path.

Install

pip install actproof-events

For full JSON Schema validation of catalogue entries, install the optional extra:

pip install "actproof-events[schema-validation]"

The extra pulls in jsonschema. The base package needs only the standard library.

The catalogue

The catalogue is federated. It uses two namespaces.

The canonical namespace op: is curated by this project. An entry earns a place in it by citing a stable regulatory or organizational basis, by being structurally clear enough to reduce to mechanical constraints, and by being broadly applicable. Canonical entries go through the review described in CONTRIBUTING_ACTS.md.

The third-party namespace x.<reverse-dns>: is permissionless. Any organization that controls a DNS domain may publish its own entries by serving them under .well-known/actproof-events/acts/ on that domain. No pull request and no coordination with this project are needed. Verifiers resolve third-party identifiers at verification time. Third-party publication is the architectural default, not a downgrade.

The catalogue currently spans EU regulatory acts (DORA, EUDR, NIS2), a civil-society mandate settlement, and the project's own software-release and standards-engagement acts.

The DORA ICT-incident initial-notification profile, op:eu.dora.ict_incident_notification_initial.v1, is the reference profile. It has been authored end to end under the source-binding process. It pins the SHA-256 of every official EU instrument it draws from, Regulation (EU) 2022/2554 together with its delegated and implementing acts, and it ships a transparency note recording every interpretive decision. It is the worked example the rest of the catalogue is being brought up to. Each entry declares its maturity in a profile_status block: the DORA profile is candidate, and the profiles that predate the source-binding process are draft and do not yet carry source bindings.

Superseded entries are kept under _deprecated/ subdirectories. They remain in the tree so historical receipts can still be resolved, and they are excluded from the authoritative API by default.

Two packages

ActProof Events is published as two Python packages, both Apache-2.0, with a clean split of responsibility.

actproof-events, this package, is the standard. It is the specification, the schemas, the act-profile catalogue, and the conformance vectors. It has no runtime dependencies and ships no anchoring code. It is the thing a verifier reads to know what a correct receipt looks like.

actproof is the substrate. It mints receipts, canonicalizes them, anchors them to the public ledger, and verifies them. It depends on actproof-events for the catalogue and schemas.

Splitting them keeps the standard light enough to be a dependency of anything, and lets the catalogue version independently of the anchoring code.

Repository layout

spec/                        the specification text, schemas, and version policy
catalogue/acts/              the act-profile catalogue, organized by jurisdiction
actproof_events/             the installable Python package
scripts/                     test-vector generation and catalogue validation
salt-erasure/                the salt-erasure module for redactable evidence
docs/releases/               per-release notes
CONTRIBUTING_ACTS.md         how to propose a catalogue entry
CATALOGUE_LOADER_CONTRACT.md the contract a catalogue loader must honor

Specification

The specification text lives at spec/actproof-events.spec.md. It defines the catalogue entry schema, the manifest and envelope formats, the RFC 8785 canonicalization pipeline, the on-chain note format, and the verifier conformance test vector format.

ActProof Events is architecturally aligned with the IETF SCITT architecture. A COSE wire-format bridge is planned for a later iteration of the specification. Until it ships, ActProof Events implementations emit JSON-canonical receipts and are not yet SCITT-compatible at the wire level.

Contributing

Catalogue contributions are welcome from regulators, industry associations, standards bodies, downstream implementers, and individual experts. A contribution is judged on its source binding, not on who submits it. CONTRIBUTING_ACTS.md describes the process for both namespaces, including the staged authoring process for a source-bound profile.

Contributions to the specification text, the reference code, and the test infrastructure follow the standard GitHub pull-request flow.

License

ActProof Events combines two licenses, and the distributed package carries the full text of both, LICENSE and LICENSES/CC0-1.0.txt.

The Python package code, the JSON schemas, and the catalogue entries are licensed under Apache-2.0.

The specification text is dedicated to the public domain under CC0-1.0, so it can be implemented and re-published without restriction.

The conformance test vectors are released under CC0-1.0, so any implementation, open or proprietary, can use them as a shared conformance suite.

Maintainer

ActProof Events is maintained by Deyan Paroushev at Advisa EOOD, Sofia.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

actproof_events-1.5.0rc1.tar.gz (159.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

actproof_events-1.5.0rc1-py3-none-any.whl (123.2 kB view details)

Uploaded Python 3

File details

Details for the file actproof_events-1.5.0rc1.tar.gz.

File metadata

  • Download URL: actproof_events-1.5.0rc1.tar.gz
  • Upload date:
  • Size: 159.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.1

File hashes

Hashes for actproof_events-1.5.0rc1.tar.gz
Algorithm Hash digest
SHA256 31bd2eac64b1e8b3e46db8af73ee99a19c18e6c7c04af3c71202a208dee5ee71
MD5 9cb877d914df88740c5e905825d64965
BLAKE2b-256 c3d1da83d488e7f60cfd17267a883a6ced6598202101377a93bb3f5e11f961e1

See more details on using hashes here.

File details

Details for the file actproof_events-1.5.0rc1-py3-none-any.whl.

File metadata

File hashes

Hashes for actproof_events-1.5.0rc1-py3-none-any.whl
Algorithm Hash digest
SHA256 06050e9264f7817cc6ea274ff0129d797053944faec8bf6c58e55bcd0a3f40dd
MD5 d0e651ae909537c95583772f6d8edec6
BLAKE2b-256 e4cb8c091c04bf9a936729716b0923f7d478114c3b6cc072dff495893be05cd6

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page