Skip to main content

Inspects operational-resilience evidence posture. Explains and routes only; never a compliance verdict.

Project description

ECZ-ID DORA Readiness Inspection

You have a DORA operational-resilience register and you need to see, at a glance, what evidence you have actually declared — and which referenced files are really on disk — before anyone relies on it. ecz-id-dora reads your resilience-evidence descriptor and shows exactly what is declared, present or absent, locally, offline, in one command.

It inspects, explains and routes only. It never issues or activates an ECZ-ID, never determines BOUND, never prices or carts, never executes discovered project, agent, MCP or robot code. It is not a DORA compliance verdict, regulatory approval, audit outcome or statement of legal sufficiency. A missing item is a neutral observation, not a judgement. Missing public proof is neutral. Local policy decides. Re-check before reliance.

Machine Interface · Manifest · Resolve · Operator Setup · Developer Guidance

One-command free trial

$ uvx ecz-id-dora inspect ./my-resilience-register
# or: pipx run ecz-id-dora inspect ./my-resilience-register

No account, no network and no config required. The public Resolver check is strictly opt-in (--check-public).

Example result

ECZ-ID inspection: ./my-resilience-register [ecz-id-dora]
A. configuration posture : PRESENT
B. public proof posture  : NOT_CHECKED  (neutral)
means        : Local ECZ-ID configuration was found for this subject. | Public Resolver proof was not checked.
does not mean: This is not a DORA compliance verdict, regulatory approval, audit outcome or statement of legal sufficiency. | ...
reason codes : ECZ-1000, ECZ-2002

Export the evidence-readiness table for a register:

$ ecz-id-dora export-csv ./my-resilience-register
evidence_item,declared,file_referenced,file_present
ICT provider identity,true,provider-attestation.txt,true
service inventory,true,,
contract references,true,,
continuity/recovery references,true,recovery-plan.md,true
exit-plan evidence,true,exit-plan.md,true
discontinuation-impact references,true,impact-analysis.md,false
API/package/cloud/SBOM relationships,true,sbom.json,true

Supported inputs

  • A directory or descriptor file. Recognised names: resilience_evidence.json, dora_evidence.json, dora_register.json.
  • Declared sections observed as neutral findings: ICT vendor / provider identity; service inventory and customer/service relationships; contract references; provider/subcontractor mapping; operational locations; important-function references; substitutability declarations and alternatives; continuity / recovery references; incident contacts; exit-plan evidence; discontinuation-impact references; and API / package / cloud / SBOM relationships.
  • Where a section names an evidence file, that file's presence under the inspected root is reported (present / absent). Files are matched by basename inside the root only; the root is never escaped and symlinks are refused.

Free capabilities

  • Two-sided posture: local configuration evidence vs public Resolver evidence.
  • export-csv — a deterministic evidence-readiness table of evidence_item, declared, file_referenced, file_present.
  • compare for drift; JSON / Markdown / text / SARIF / CSV output; secret redaction on every export.

Unsupported inputs

  • Not a resilience scanner, uptime monitor, penetration tester or crawler.
  • Does not open, validate or attest the content of any referenced evidence file — only whether it is present.
  • Does not fetch or execute your project, and never follows arbitrary redirects to internal hosts.

What the result means

PRESENT / PARTIAL / ABSENT / INVALID describes your local resilience-evidence register: whether a register was found, how much of the expected evidence it declares, and whether it parses. PROOF_FOUND or a neutral posture describes public Resolver evidence.

What it does not mean

Not a safety, approval, insurance or premium decision. Not a DORA compliance verdict, regulatory approval, audit outcome or statement of legal sufficiency. "Declared" and "present" describe what the descriptor records and what is on disk — nothing about adequacy or correctness. Missing public proof is neutral — it does not mean unsafe.

Compare / drift

$ ecz-id-dora compare ./last-review ./current --json

Shows posture changes and reason-code / finding additions and removals — useful in review and on a schedule.

CI use

$ ecz-id-dora inspect . --sarif > dora.sarif      # upload to code scanning
$ ecz-id-dora inspect . --json  > dora.json       # exit 0 for any completed inspection
$ ecz-id-dora export-csv . > dora-evidence.csv    # evidence-readiness table

Exit code is 0 for every completed inspection regardless of posture (the neutrality rule); non-zero only for genuine input / tool errors.

Machine Interface & Quiet manifest

Every install ships a public-safe manifest, ecz_quiet_machine_interface.json, and every JSON report embeds a compact machine_interface object with the canonical roots and safe actions.

Machine Interface | Manifest | Resolve | Operator Setup | Developer Guidance

It exposes the interface and protects the playbook: none of the private commercial machinery lives in these packages. If you operate the target and choose to begin, TrustOps handles recommendation, acquisition, setup, lifecycle and repair. This package only routes you there; it never prices, carts or sells.

Privacy and no telemetry

Bounded, read-only, symlink-refusing inspection. No telemetry, no source upload. The optional public check sends only minimal safe context (source, package, version, typed intent) to validated public hosts over HTTPS. Secrets are redacted on every export. Offline mode (--offline / ECZ_ID_OFFLINE=1) skips all network.

Licence and trademarks

Apache-2.0. See LICENSE and NOTICE.

The Apache-2.0 code licence grants no trademark rights. "ECZ-ID", "EcoCitizenz" and related names and logos are trademarks of their owner(s). See TRADEMARKS.md. See CHANGELOG.md and SECURITY.md at the repository root.

CLI: ecz-id-dora  |  Import: ecz_id_dora  |  Plugin group: ecz_id.plugins

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ecz_id_dora-0.1.0.tar.gz (17.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ecz_id_dora-0.1.0-py3-none-any.whl (16.6 kB view details)

Uploaded Python 3

File details

Details for the file ecz_id_dora-0.1.0.tar.gz.

File metadata

  • Download URL: ecz_id_dora-0.1.0.tar.gz
  • Upload date:
  • Size: 17.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_dora-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0052867187ab9a5c48c32b1beb3ad40ca0e692e0bbeb744147a499177744a0a9
MD5 f10d11df51980972e2dba831945e6eb7
BLAKE2b-256 2db0cb43888d6c66bba80c08b0b3f14308f9dd8e7b4801f51b0e98b2115e0d0c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_dora-0.1.0.tar.gz:

Publisher: publish-ecz-id-dora.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ecz_id_dora-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: ecz_id_dora-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 16.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ecz_id_dora-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cfb738f4f3b8e723bbc96759a6e04f8e9bdb9dec86a39d03c9f4c7bfcfd966d2
MD5 0d971612044ba2277d0a1d2d79950620
BLAKE2b-256 aaa4f8fcc5541f26175c189f791192b51506a207968aa4e11030cdd728949911

See more details on using hashes here.

Provenance

The following attestation bundles were made for ecz_id_dora-0.1.0-py3-none-any.whl:

Publisher: publish-ecz-id-dora.yml on Ecocitizenz/ecz-id-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page