Merge pull request #7 from quantumpipes/compliance-expansion

Author: bradleygauthier

README.md

@@ -8,7 +8,7 @@ Every AI action produces a Capsule — a tamper-evident, content-addressable rec
 
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![CPS](https://img.shields.io/badge/CPS-v1.0-orange.svg)](./spec/)
-[![Conformance](https://img.shields.io/badge/Conformance-16_vectors-brightgreen.svg)](./conformance/)
+[![Conformance](https://img.shields.io/badge/Conformance-16_vectors-ff69b4.svg)](./conformance/)
 [![FIPS](https://img.shields.io/badge/Crypto-FIPS_202%20·%20186--5%20·%20204-purple.svg)](#cryptographic-seal)
 [![Coverage](https://img.shields.io/badge/Coverage-100%25-brightgreen.svg)](./reference/python/)
 
@@ -229,13 +229,35 @@ See the [TypeScript reference documentation](./reference/typescript/) for the fu
 
 ---
 
+## Compliance
+
+Capsule maps to 11 regulatory frameworks at the protocol level. Each mapping documents which controls the protocol satisfies and which require complementary application-level controls.
+
+| Framework | Controls | Focus |
+|---|---|---|
+| [NIST SP 800-53](./docs/compliance/nist-sp-800-53.md) | AU-2 through AU-12, SC-13, SC-28, SI-7 | Audit, integrity, crypto |
+| [NIST AI RMF](./docs/compliance/nist-ai-rmf.md) | GOVERN, MAP, MEASURE, MANAGE | AI risk management |
+| [EU AI Act](./docs/compliance/eu-ai-act.md) | Articles 12, 13, 14 | Record-keeping, transparency, oversight |
+| [SOC 2](./docs/compliance/soc2.md) | CC6.1, CC7.2, CC7.3, CC7.4, CC8.1 | Trust Services Criteria |
+| [ISO 27001](./docs/compliance/iso27001.md) | A.8.15 through A.8.25 | Annex A controls |
+| [HIPAA](./docs/compliance/hipaa.md) | §164.308, §164.312 | Security Rule safeguards |
+| [GDPR](./docs/compliance/gdpr.md) | Articles 5, 25, 30, 32, 35 | Data protection |
+| [PCI DSS](./docs/compliance/pci-dss.md) | Req 10, 11.5, 11.6 | Logging, change detection |
+| [FedRAMP](./docs/compliance/fedramp.md) | AU-9(3), AU-10, SI-7, CM-3 | Federal cloud |
+| [FINRA](./docs/compliance/finra.md) | SEC 17a-4, REC-2, Rule 3110 | Financial recordkeeping |
+| [CMMC](./docs/compliance/cmmc.md) | AU.L2-3.3.x, SC.L2-3.13.x | DoD CUI protection |
+
+See the [compliance overview](./docs/compliance/) for FIPS algorithm details and scope.
+
+---
+
 ## Documentation
 
 | Document | Audience |
 |---|---|
 | [Architecture](./docs/architecture.md) | Developers, Auditors |
 | [Security Evaluation](./docs/security.md) | CISOs, Security Teams |
-| [Compliance Mapping](./docs/compliance.md) | Regulators, GRC |
+| [Compliance Mapping](./docs/compliance/) | Regulators, GRC |
 | [Why Capsules](./docs/why-capsules.md) | Decision-Makers, Architects |
 | [Implementor's Guide](./docs/implementors-guide.md) | SDK Authors |
 

docs/README.md

@@ -9,7 +9,7 @@ These documents explain the Capsule Protocol — why it exists, how it works, an
 | [Why Capsules](./why-capsules.md) | Decision-Makers, Architects | The case for cryptographic AI memory |
 | [Architecture](./architecture.md) | Developers, Auditors | 6-section model, sealing, hash chain |
 | [Security Evaluation](./security.md) | CISOs, Security Teams | Cryptographic guarantees and key management |
-| [Compliance Mapping](./compliance.md) | Regulators, GRC | NIST, EU AI Act, SOC 2, ISO 27001 |
+| [Compliance Mapping](./compliance/) | Regulators, GRC | NIST, EU AI Act, SOC 2, ISO 27001, HIPAA, GDPR |
 | [Implementor's Guide](./implementors-guide.md) | SDK Authors | How to build a conformant implementation |
 
 ## Normative Specification

docs/architecture.md

@@ -369,7 +369,7 @@ Capsules can form parent-child hierarchies: `WORKFLOW` (parent) -> `AGENT` (chil
 
 - [Why Capsules](./why-capsules.md) — The case for cryptographic AI memory
 - [Security Evaluation](./security.md) — Cryptographic guarantees for CISOs
-- [Compliance Mapping](./compliance.md) — Regulatory framework alignment
+- [Compliance Mapping](./compliance/) — Regulatory framework alignment
 - [CPS Specification](../spec/) — Protocol rules for SDK authors
 - [Python Reference](../reference/python/) — Python API reference and quickstart
 

docs/compliance.md

@@ -0,0 +1,63 @@
+# Regulatory Compliance Mapping
+
+> **How the Capsule protocol maps to the frameworks your auditors care about.**
+
+---
+
+## Scope
+
+This directory maps **protocol-level** capabilities to regulatory controls. Every mapping describes what the Capsule Protocol Specification (CPS) itself provides: structured records, cryptographic sealing, hash chain integrity, and cross-language verification.
+
+Application-level controls (access management, network security, operational procedures) are the responsibility of the deployment environment, not the protocol.
+
+---
+
+## FIPS Algorithm Compliance
+
+| Algorithm | FIPS Standard | Status | Capsule Usage |
+|---|---|---|---|
+| SHA3-256 | FIPS 202 (SHA-3) | Published August 2015 | Content hashing for every Capsule |
+| Ed25519 | FIPS 186-5 (Digital Signatures) | Published February 2023 | Required signature on every Capsule |
+| ML-DSA-65 | FIPS 204 (ML-DSA) | Published August 2024 | Optional post-quantum dual signature |
+
+All three algorithms are NIST-standardized. No deprecated or non-standard cryptography is used.
+
+---
+
+## Framework Mappings
+
+| Framework | Controls Mapped | Document |
+|---|---|---|
+| [NIST SP 800-53 Rev. 5](./nist-sp-800-53.md) | AU-2 through AU-12, SC-13, SC-28, SI-7 | Audit, integrity, crypto |
+| [NIST AI RMF 1.0](./nist-ai-rmf.md) | GOVERN, MAP, MEASURE, MANAGE | AI risk management |
+| [EU AI Act](./eu-ai-act.md) | Articles 12, 13, 14 | Record-keeping, transparency, oversight |
+| [SOC 2 Type II](./soc2.md) | CC6.1, CC7.2, CC7.3, CC7.4, CC8.1 | Trust Services Criteria |
+| [ISO 27001:2022](./iso27001.md) | A.8.15, A.8.16, A.8.17, A.8.24, A.8.25 | Annex A controls |
+| [HIPAA](./hipaa.md) | §164.308, §164.312 | Security Rule safeguards |
+| [GDPR](./gdpr.md) | Articles 5, 25, 30, 32, 35 | Data protection principles |
+| [PCI DSS v4.0](./pci-dss.md) | Req 10, Req 11.5, Req 11.6 | Logging, monitoring, change detection |
+| [FedRAMP](./fedramp.md) | AU-9(3), AU-10, SI-7(1-7), SC-8(1), SC-28(1), CM-3 | Federal cloud authorization |
+| [FINRA](./finra.md) | SEC 17a-4, REC-2, Rule 3110 | Financial recordkeeping, supervision |
+| [CMMC 2.0](./cmmc.md) | AU.L2-3.3.x, SC.L2-3.13.x, AC.L2-3.1.12 | DoD contractor CUI protection |
+
+---
+
+## Cross-Language Conformance
+
+Capsule sealed in any language can be verified in any other. The Capsule Protocol Specification (CPS) defines:
+
+- Byte-level canonical JSON serialization rules
+- 16 golden test vectors covering all CapsuleTypes, Unicode, fractional timestamps, chain sequences, empty vs null, deep nesting, and failure paths
+- SHA3-256 hash determinism across implementations
+
+Python and TypeScript reference implementations are available now. All conformant implementations produce byte-identical canonical JSON and matching SHA3-256 hashes for the golden test vectors.
+
+See [CPS Specification](../../spec/) for protocol details.
+
+---
+
+## Related Documentation
+
+- [Security Evaluation](../security.md) -- Cryptographic architecture, key management, attack surface
+- [Architecture](../architecture.md) -- 6-section model, sealing process, hash chain
+- [CPS Specification](../../spec/) -- Protocol rules and golden test vectors