The Artifact

OSCAL bundle viewer + Cedar playground.

Pick a control. See the predicate. Trace it to the upstream receipts that satisfy it. Edit the predicate, re-derive.

Dimension

OSCAL bundle

1.18 J

per call

Assessment Results as one signed document

An OSCAL 1.1.2 Assessment Results (SAR) bundle. 11 findings, each linking by BLAKE3 hash to a Cedar predicate and to every upstream receipt that satisfied it. The bundle is the only artifact the assessor consumes — no spreadsheets, no PDF appendices, no screenshot folders.

Sample receipt

JWP ReceiptPayload

kind "compliance.bundle.assembled"

format OSCAL JSON 1.1.2

size_kb 184

joules 1.18

cite "OSCAL SAR 1.1.2 · NIST SP 800-53 Rev 5"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

schema

OSCAL 1.1.2 SAR

signing

Ed25519 over canonical JSON

addressing

BLAKE3

Dimension

Cedar predicate

0.87 J

per call

Controls as compiled code

Cedar 4.2 policy expressions replace control narratives. AU-12 reads: permit(principal, action == Action::"emit", resource) when { resource.sig != null }. The control is the predicate; the predicate is what the auditor evaluates; the evaluator is open.

Sample receipt

JWP ReceiptPayload

kind "compliance.predicate.compiled"

lines_of_cedar 342

predicates 11

joules 0.87

cite "Cedar 4.2 · 800-53 Rev 5 implementation layer"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

engine

Cedar 4.2

evaluation

pure function

Dimension

Receipt evidence chain

1.42 J

per call

Receipts as audit primary sources

Every finding links to the upstream receipts that satisfied it, by content hash. The chain for AC-2 (Account Management) traces 8 trust.id.token.issued receipts, each pinning a vp_hash that resolves to a verifiable credential. Breaking the chain requires breaking a signature.

Sample receipt

JWP ReceiptPayload

kind "compliance.evidence.selected"

receipts 31

kinds 6

joules 1.42

cite "OSCAL 1.1.2 §SAR links · BLAKE3 content addressing"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

selector

Cedar input typed against kind

addressing

BLAKE3-256

Dimension

Control mapping

0.31 J

per call

NIST 800-53 → Cedar → receipts

A three-column map: NIST 800-53 Rev 5 control id, the Cedar predicate that implements it, the receipt kinds that feed it. AC-1, AC-2, AC-3 fed by trust.id.token.issued. AU-2, AU-12 fed by every state-mutating receipt. SC-12 fed by trust.key.rotation events. The map is the OSCAL profile.

Sample receipt

JWP ReceiptPayload

kind "compliance.profile.loaded"

controls 11

receipt_kinds_referenced 9

joules 0.31

cite "OSCAL 1.1.2 profile · NIST SP 800-53 Rev 5"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

profile_id

fincen-rre-2026

imported_baseline

800-53 Rev 5 low

Dimension

CSRD projection

0.55 J

per call

ESRS E1 as a sum over joules

CSRD Article 29b energy disclosure (ESRS E1-5) is a SUM(joules) projection over the receipt log, partitioned by entity and reporting window. The Q2-2026 row reads 2,418,902 J = 0.672 kWh for entity tx_science:row_4408. Re-running the projection on the same window returns the same number, byte-for-byte.

Sample receipt

JWP ReceiptPayload

kind "compliance.csrd.projection"

esrs_metric E1-5

kwh_q2 0.672

joules 0.55

cite "EU 2023/2772 ESRS E1 §29b · Article 29b CSRD"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

regulation

Directive (EU) 2022/2464

standard

ESRS E1 (Climate change)

evaluator

pure SQL over receipt store

ComplianceOS, in one line

predicate, made inspectable.

Click anything. The same primitives that compose the rest of the Transaction Science family — receipts, joules, signed transport — show up here too. The family is one system.

← Watch the scenario Back to Transaction Science →