Clyra-AI · davidahmann · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
@@ -6,6 +6,10 @@ on:
     branches-ignore:
       - main
 
+concurrency:
+  group: pr-${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.ref_name }}
+  cancel-in-progress: true
+
 jobs:
   pr-lint:
     runs-on: ubuntu-latest
@@ -36,4 +40,4 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-      - run: go test ./...
+      - run: go test -v ./...
@@ -1,2 +1,2 @@
-golang 1.25.7
+golang 1.26.1
 python 3.13.7
@@ -21,7 +21,7 @@ Status key:
 | FR4 Signing | PASS | Ed25519 + cosign signing/verification paths implemented for records/chains and bundle manifests, including cert/identity/issuer verify options and revocation-list verification. |
 | FR5 Canonicalization | PASS | JSON/SQL/URL/text/prompt canonicalization plus digest metadata (`algo_id`, `salt_id`) and HMAC-SHA-256 helpers in `core/canon`. |
 | FR6 Verification CLI | PASS | `verify`, `inspect`, `chain verify`, `types`, `frameworks`; bundle signature verification, custom type schema mapping, `--explain`, and exit code contract implemented. |
-| FR7 Framework definitions | PASS | 8 frameworks in `frameworks/` and `core/framework/`; list/show implemented. |
+| FR7 Framework definitions | PASS | 10 frameworks in `frameworks/` and `core/framework/`; list/show, schema validation, and deterministic evidence coverage evaluation implemented. |
 | FR8 Go module API | PASS | Primary API surface exported from `proof.go`. |
 | FR9 JSON schemas | PASS | Base + type schemas + chain/bundle/framework schemas in `schemas/v1/`. |
 

@@ -41,7 +41,7 @@ PROOF_VERSION="$(gh release view --repo Clyra-AI/proof --json tagName -q .tagNam
 go install github.com/Clyra-AI/proof/cmd/proof@"${PROOF_VERSION}"
 
 proof types list          # 18 built-in record types
-proof frameworks list     # 10 built-in starter frameworks (73 controls)
+proof frameworks list     # 10 built-in starter frameworks (79 controls)
 proof verify ./artifact   # Verify any proof artifact offline
 ```
 
@@ -250,25 +250,33 @@ All digests carry `algo_id` (sha256 or hmac-sha256) and optional `salt_id` metad
 
 ## Compliance Framework Definitions
 
-YAML files that declare what regulatory controls require — which record types, required fields, and evidence frequency. Zero evaluation logic. Configuration data consumed by downstream compliance tools.
+YAML files declare what regulatory controls require and which evidence paths can satisfy them. Proof evaluates deterministic evidence coverage only. It does not decide regulatory applicability, scope gating, or compliance status.
 
 ```yaml
 controls:
   - id: article-12
     title: Record-Keeping
-    required_record_types: [tool_invocation, decision, guardrail_activation, permission_check, compiled_action]
-    required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
-    minimum_frequency: continuous
+    evidence_sets:
+      - id: runtime_control
+        source_products: [gait]
+        required_record_types: [tool_invocation, permission_check, compiled_action]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+      - id: combined
+        source_products: [wrkr, gait]
+        required_record_types: [scan_finding, tool_invocation, compiled_action]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
 ```
 
-10 built-in starter frameworks ship with v1 (73 controls total). Add custom frameworks via YAML.
+10 built-in starter frameworks ship with v1 (79 controls total). Add custom frameworks via YAML.
 
 | Framework | Scope |
 |---|---|
-| EU AI Act | Articles 9, 12, 14 (starter mapping) |
-| SOC 2 | CC6, CC7, CC8 (starter mapping) |
+| EU AI Act | Articles 9, 12, 13, 14, 15, 26 (starter mapping) |
+| SOC 2 | CC6.1, CC6.3, CC7.1, CC8.1 (starter mapping) |
 | SOX | Change management (starter mapping) |
-| PCI-DSS | Requirement 10 (logging and monitoring) |
+| PCI-DSS | Requirements 6.5, 7.2, 12.8 (starter mapping) |
 | Texas TRAIGA | State AI regulation |
 | Colorado AI Act | State AI regulation |
 | ISO 42001 | AI Management System |

@@ -3,13 +3,16 @@ package main
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/Clyra-AI/proof"
+	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/require"
 )
 
@@ -107,22 +110,48 @@ func TestInspectChainAndBundleCommands(t *testing.T) {
 	require.Contains(t, out, "\"files\"")
 }
 
+func TestRunCommandForTestDrainsLargeStdout(t *testing.T) {
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, err := fmt.Fprint(os.Stdout, strings.Repeat("x", 1024*1024))
+			return err
+		},
+	}
+
+	out, err := runCommandForTest(t, cmd, nil)
+	require.NoError(t, err)
+	require.Len(t, out, 1024*1024)
+}
+
 func runCLIForTest(t *testing.T, args []string) (string, error) {
 	t.Helper()
 	cmd := newRootCmd("test")
+	return runCommandForTest(t, cmd, args)
+}
+
+func runCommandForTest(t *testing.T, cmd *cobra.Command, args []string) (string, error) {
+	t.Helper()
 	cmd.SetArgs(args)
 
 	oldStdout := os.Stdout
-	r, w, _ := os.Pipe()
+	r, w, err := os.Pipe()
+	require.NoError(t, err)
 	os.Stdout = w
+	defer func() {
+		os.Stdout = oldStdout
+	}()
+
+	var buf bytes.Buffer
+	copyDone := make(chan error, 1)
+	go func() {
+		_, copyErr := io.Copy(&buf, r)
+		copyDone <- copyErr
+	}()
 
-	err := cmd.Execute()
+	err = cmd.Execute()
 
 	_ = w.Close()
-	os.Stdout = oldStdout
-
-	var buf bytes.Buffer
-	_, _ = io.Copy(&buf, r)
+	require.NoError(t, <-copyDone)
 	_ = r.Close()
 	return buf.String(), err
 }
@@ -5,16 +5,139 @@ framework:
 controls:
   - id: article-9
     title: Risk Management
-    required_record_types: [risk_assessment]
-    required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
-    minimum_frequency: quarterly
+    evidence_sets:
+      - id: wrkr_discovery
+        title: Wrkr discovery risk evidence
+        source_products: [wrkr]
+        required_record_types: [scan_finding]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+      - id: axym_compliance
+        title: Axym risk assessment evidence
+        source_products: [axym]
+        required_record_types: [risk_assessment]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: quarterly
+      - id: combined
+        title: Discovery and assessment evidence
+        source_products: [wrkr, axym]
+        required_record_types: [scan_finding, risk_assessment]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: quarterly
   - id: article-12
     title: Record-Keeping
-    required_record_types: [tool_invocation, decision, guardrail_activation, permission_check, compiled_action]
-    required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
-    minimum_frequency: continuous
+    evidence_sets:
+      - id: wrkr_discovery
+        title: Wrkr discovery record evidence
+        source_products: [wrkr]
+        required_record_types: [scan_finding]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+      - id: runtime_control
+        title: Gait runtime record evidence
+        source_products: [gait]
+        required_record_types: [tool_invocation, permission_check, compiled_action]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+      - id: axym_compliance
+        title: Axym governance record evidence
+        source_products: [axym]
+        required_record_types: [decision, approval]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: quarterly
+      - id: combined
+        title: Discovery and runtime record evidence
+        source_products: [wrkr, gait]
+        required_record_types: [scan_finding, tool_invocation, compiled_action]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+  - id: article-13
+    title: Transparency and Information to Deployers
+    evidence_sets:
+      - id: runtime_control
+        title: Gait runtime decision evidence
+        source_products: [gait]
+        required_record_types: [decision, compiled_action]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: per-event
+      - id: axym_compliance
+        title: Axym transparency evidence
+        source_products: [axym]
+        required_record_types: [decision, approval]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: per-event
+      - id: combined
+        title: Discovery and decision evidence
+        source_products: [wrkr, gait]
+        required_record_types: [scan_finding, decision]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: per-event
   - id: article-14
     title: Human Oversight
-    required_record_types: [human_oversight, approval, compiled_action]
-    required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
-    minimum_frequency: per-event
+    evidence_sets:
+      - id: runtime_control
+        title: Gait human oversight evidence
+        source_products: [gait]
+        required_record_types: [human_oversight, approval]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: per-event
+      - id: axym_compliance
+        title: Axym oversight evidence
+        source_products: [axym]
+        required_record_types: [approval, decision]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: per-event
+      - id: combined
+        title: Discovery and oversight evidence
+        source_products: [wrkr, gait]
+        required_record_types: [scan_finding, human_oversight, approval]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: per-event
+  - id: article-15
+    title: Accuracy, Robustness, and Cybersecurity
+    evidence_sets:
+      - id: wrkr_discovery
+        title: Wrkr discovery security evidence
+        source_products: [wrkr]
+        required_record_types: [scan_finding]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+      - id: runtime_control
+        title: Gait runtime safety evidence
+        source_products: [gait]
+        required_record_types: [guardrail_activation, incident, test_result]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+      - id: axym_compliance
+        title: Axym resilience evidence
+        source_products: [axym]
+        required_record_types: [risk_assessment, incident]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: quarterly
+      - id: combined
+        title: Discovery and runtime safety evidence
+        source_products: [wrkr, gait]
+        required_record_types: [scan_finding, guardrail_activation, test_result]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: continuous
+  - id: article-26
+    title: Deployer Obligations
+    evidence_sets:
+      - id: runtime_control
+        title: Gait deployer control evidence
+        source_products: [gait]
+        required_record_types: [compiled_action, approval]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: per-event
+      - id: axym_compliance
+        title: Axym deployer governance evidence
+        source_products: [axym]
+        required_record_types: [deployment, risk_assessment, approval]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: quarterly
+      - id: combined
+        title: Discovery and deployer evidence
+        source_products: [wrkr, axym]
+        required_record_types: [scan_finding, deployment, approval]
+        required_fields: [record_id, timestamp, source, source_product, record_type, event, integrity.record_hash]
+        minimum_frequency: quarterly