Current Focus
First corridor first
The first milestone is intentionally narrow. Seed public corridors now exist for blocked, stale, certificate-eligible, cyber-baseline, and AI-governance ExampleCo runs, the public lifecycle pack now shows what happens after drift, the specs now include an exact-anchor review pilot that reaches across 56 public controls and 30 frameworks with 257 review entries, the Lean corridor now carries a LegalLean-backed typed boundary layer with runtime-consumed verdicts live across every current public fixture, and the Verify surface now includes a deterministic local HTTP/JSON API as well as the local CLI. The medium, issued, and cyber-baseline packs now also include the promoted access-review-export, password-policy, managed-WAF, centralized-monitoring, network-boundary, plaintext-transport, encryption-at-rest, unique-infrastructure-identity, segmentation, key-hygiene, locality, secure-baseline, update-hygiene, malware-protection, incident, repository-integrity, retention/deletion, supplier-commitment, reported-security-concern, and outsourced-development proof, attestation, or judgment wave, while the public ontology now also carries planned continuity, risk-governance, facilities, ISMS-context, project-security, stakeholder-management, continual-improvement, compliance-inventory, intellectual-property, remote-working, conduct, audit, support, intelligence, facility-workspace, and richer AI provenance/evaluation/data-quality branches with matching typed claim schemas. The new mapping-program files now make the remaining exact-anchor, claim, Lean, and fixture rollout work explicit instead of burying it in prose. That is the right shape: formalize a few defensible controls well before claiming broad framework coverage loosely.