Blog17 May 20264 min read
Produce a regulator-ready compliance archive
Core feature finally landing.
Late-Sunday lab notes from Phase 9: end-to-end testing produces a cryptographically anchored, GPG-signed NIS2 compliance archive on a laptop. Across nine phases we've been describing this. It works.

EdSSA ships compliance packs for ten regulatory regimes — EU NIS2, NERC CIP, HIPAA, PCI DSS, ISO 27001, automotive, aviation, maritime, the usual suspects. The idea is that any operator running the platform can produce a cryptographically anchored evidence archive that a regulator can verify with standard tools. The headline magic: each archive's manifest gets signed with the operator's GPG key — the same kind of key a developer signs git commits with. Auditors verify it with stock gpg. Nothing exotic.
A couple of false starts (forgot a config file, had the audit setting on the lightweight tier so no cryptographic anchors got sealed), then it worked:
- The export tool spat out a directory of regulator-readable JSON + a detached signature file.
- Stock
gpg --verifyreported a good signature. The same operator key that signs the project's releases. - Inside the archive, the per-fleet audit summary referenced a cryptographic fingerprint — a single hash that summarises a batch of specific authentication events from the run I'd just done.
Read that slowly. Imagine a regulator hands me that file. They can:
- Run
gpg --verifyand confirm the archive came from the operator they expect. - Run the verifier tool against a fresh snapshot of the audit database and confirm that hash truly is the fingerprint of those specific authentication events.
- See a "chains to genesis" indicator and know the chain reaches all the way back to its origin — nothing has been quietly trimmed.
That hash is a fingerprint over events that happened on my laptop a couple of minutes earlier. Tamper with any one of them and the hash changes. Drop one, and the chain breaks. The GPG signature ties the whole archive to the operator identity that produced it.
That's what the patent has been describing across nine phases. It works. On a laptop. End to end.
Where we are now: the Enterprise-tier substrate milestone is tagged, signed, and pushed. A long stretch of focused work landed, plus one small follow-up patch this testing surfaced. Workspace tests are all green, no build warnings. Real cross-binary mint + verify on loopback, the engine doing what the patent says it should. And a real GPG-signed NIS2 compliance archive with cryptographic anchors traceable back to actual traffic minted seconds earlier.
The architectural substrate is done. Operator-side gates — independent security audits, the acquisition data room, customer contracts — are calendar-time work that takes calendar time. But the engine works. The tooling works. The compliance workflow round-trips through stock tools.
The story we've been telling across nine phases — that this thing can deliver auditable, cryptographically anchored, compliance-grade authentication — that story now has receipts.
More tier-by-tier walks coming soon: the operator panel with Touch ID enrolment, the multi-tenant management surface, the database backend, the negative tests. But this is the satisfying part. The substrate isn't just code — it's code that does the thing.
Good night Helsinki!