Deterministic Surface

The current Verify contract is explicit.

This page describes the narrow deterministic reference surface behind the local OpenCompliance CLI, API, and browser workbench. It is a synthetic public contract, not a claim of a hosted production verification service. OSCAL is part of that contract, but this surface goes beyond OSCAL by binding typed evidence claims, classification results, proof outputs, trust-surface reporting, and replayable verification artifacts into one deterministic run.

Verifier release Verify workbench Open contract JSON

Current reference entrypoints

CLI and local API

cd projects/dev/opencompliance
python3 scripts/verify_fixture.py --fixture-root fixtures/public/issued --check

cd projects/dev/opencompliance
python3 scripts/serve_verify_api.py --port 8788

cd projects/dev/opencompliance
python3 -m http.server 8000

Then open http://127.0.0.1:8000/ui/verify/. The compatibility wrapper still exists for the built-in ExampleCo packs via python3 scripts/verify_example.py --fixture issued --check.

See workbench

API routes

`GET /contract` and `POST /verify`

The local HTTP surface exposes GET /healthz, GET /fixtures, GET /contract, and POST /verify. The workbench does not invent a second verdict path. It calls the same local API contract as the CLI and uses the same deterministic runtime artifacts, typed boundary tags, and outcome policies.

Open contract JSON

Supported input modes

Mode 1

`fixture_path`

{
  "fixtureName": "issued",
  "input": {
    "mode": "fixture_path",
    "fixtureRoot": "/abs/path/to/fixture-shaped-root"
  }
}

See local runner

Mode 2

`inline_bundle`

{
  "fixtureName": "issued",
  "input": {
    "mode": "inline_bundle",
    "profile": {"profileId": "exampleco-issued-profile"},
    "evidenceClaims": [],
    "useDefaultOscalSeed": true
  }
}

The inline bundle can also carry explicit OSCAL material under input.oscal with catalog, profile, ssp, and mappingCollection. If input.oscal is omitted, the local API can currently fall back to the checked-in OSCAL seed for the selected fixture when useDefaultOscalSeed is true.

See public package model

Deterministic outputs

Artifacts

Always emitted

proof-bundle.json
trust-surface-report.md
verification-result.json
replay-bundle.json
witness-receipt.json
revocation.json

See bundled release

Outcome

Conditional final artifact

The outcome artifact depends on the proof summary: certificate.json when there are zero judgmentRequired and zero evidenceMissing, and punch-list.json otherwise.

See outcome examples

Inputs

Current corridor files

The deterministic corridor uses profile.json, evidence-claims.json, and the matching OSCAL catalog, profile, SSP, and mapping files under oscal/.

That is deliberate: OSCAL carries the standards-aligned interchange layer, while OpenCompliance adds the typed evidence semantics, proof boundary tags, outcome logic, and replayable publication artifacts that OSCAL alone does not define.

See fixture contents

What it is useful for

This reference surface is useful for validating the artifact contract, testing blocked and successful runs, checking fixture-shaped inputs by path instead of only by built-in example name, and exercising replay and transparency logic.

See ExampleCo showcase

Current boundary

This is still a synthetic reference surface. It is now a stable local CLI plus local HTTP/JSON API plus local browser workbench for the synthetic corridor, but it is still not a general live-evidence network API.

Current limitations: the API is intentionally local-only and unauthenticated; the request model still depends on known fixture names and corridor shapes; inline bundles can reuse checked-in OSCAL seed material; connector-ingress enforcement is now live for the synthetic system-export surface, and the release line now publishes trust-root profiles for environment-supplied release identities, but live connectors, exercised non-synthetic publication roots, and non-synthetic ingress remain future work.

See remaining product gaps