EuConform

Evidence infrastructure

EuConform Evidence Format

The EuConform Evidence Format is an open specification for structured, offline AI Act compliance evidence. It defines machine-readable document types that capture what a scanner found — not legal verdicts, but verifiable evidence for human review.

Stage 1 schemas are frozen. Breaking changes require a new major version.

Overview

The EuConform Evidence Format defines three stable Stage 1 document types and one Stage 2 transport document for EU AI Act evidence:

AI BOM (AI Bill of Materials) is the inventory layer — which AI components are present
Report is the compliance evidence layer — what signals, gaps, and recommendations the scanner found
CI is the enforcement layer — pass/fail gate status for CI pipelines
Bundle is the transport and integrity layer — which files belong together and whether they still match their recorded hashes

“AI BOM” is one document type within the EuConform Evidence Format, not the name of the overall specification.

Document types

Evidence

euconform.report.v1

Compliance signals, gaps, open questions, and recommendations

Inventory

euconform.aibom.v1

AI component inventory with compliance capabilities

Gate

euconform.ci.v1

CI gate status, gap counts, and top findings

Transport

euconform.bundle.v1

Integrity and transport manifest for artifact sets

AI Act mapping

The EuConform Evidence Format compliance signals map to specific areas of the EU AI Act. The scanner detects evidence for these areas — classification and legal interpretation remain with the human reviewer.

Compliance area	AI Act reference	Format field
AI disclosure	Art. 50 — Transparency obligations	`complianceSignals.disclosure`
Bias testing	Art. 10 — Data and data governance	`complianceSignals.biasTesting`
Reporting and exports	Art. 12 — Record-keeping	`complianceSignals.reportingExports`
Logging and monitoring	Art. 12 — Record-keeping	`complianceSignals.loggingMonitoring`
Human oversight	Art. 14 — Human oversight	`complianceSignals.humanOversight`
Data governance	Art. 10 — Data and data governance	`complianceSignals.dataGovernance`
Incident reporting	Art. 62 — Reporting of serious incidents	`complianceSignals.incidentReporting`

Report v1

The report is the primary compliance evidence document. It captures what the scanner found across seven compliance areas, including assessment hints, gaps, and recommendations.

Required fields

schemaVersion	"euconform.report.v1"
generatedAt	ISO 8601 timestamp
tool	Scanner name and version
target	Project path, name, type, detected stack
aiFootprint	AI usage, inference modes, providers, RAG hints
complianceSignals	7 compliance area groups (status, confidence, evidence)
assessmentHints	Risk indicators, GPAI indicators, open questions
gaps	Scanner-derived compliance gaps with priority and status
recommendationSummary	Prioritized action items

View full schema·Example artifact

AI BOM v1

The AI Bill of Materials is the inventory layer — a structured list of AI-relevant components in the scanned project, plus detected compliance capabilities.

Required fields

schemaVersion	"euconform.aibom.v1"
generatedAt	ISO 8601 timestamp
project	Project name and root path
components	Array of AI components (kind, name, source) — empty for non-AI projects
complianceCapabilities	Boolean flags: biasEvaluation, jsonExport, pdfExport, logging, humanReview, incidents

Component IDs follow the pattern kind:kebab-name, e.g. inference-provider:openai, runtime:node-js.

View full schema·Example artifact

CI v1

The CI document is the enforcement layer — a compact summary for pipeline gates and dashboards. It captures pass/fail status, gap counts, and the top findings.

Required fields

schemaVersion	"euconform.ci.v1"
generatedAt	ISO 8601 timestamp
target	Project name and root path
status	failOn level, failing flag, gapCounts (critical/high/medium/low), openQuestions count
aiDetected	Whether AI components were found
scanScope	"production" or "all"
artifacts	List of artifacts written during the scan
complianceOverview	Summary of all 7 compliance areas
topGaps	First 5 gaps (id, title, priority, status)

View full schema·Example artifact

Bundle v1

The bundle is the Stage 2 transport and integrity layer. It binds artifacts from a single scan run into a verifiable unit and optionally packages them as a flat ZIP archive.

Required fields

schemaVersion	"euconform.bundle.v1"
generatedAt	ISO 8601 timestamp
tool	Tool name and version used to generate the bundle
target	Project name and root path shared by the artifact set
artifacts	Manifest entries containing role, filename, SHA-256, and optional schemaVersion

Each artifact entry records role, fileName, sha256, required, and optional schemaVersion or mimeType.

View full schema·Example artifact

Schemas

All EuConform Evidence Format schemas use JSON Schema Draft 2020-12 with additionalProperties: false for strict validation.

report-v1.schema.json aibom-v1.schema.json ci-v1.schema.json bundle-v1.schema.json

Canonical URLs: https://euconform.eu/schemas/spec/{type}-v1.schema.json

Examples

Four example scenarios demonstrate the EuConform Evidence Format across different project types. The local Ollama and RAG scenarios also have builder-facing source projects in the repository.

Web App

Next.js with cloud OpenAI — typical SaaS AI integration

report aibom ci bundle

Local Ollama

Local inference with Ollama/llama.cpp — no cloud dependency

report aibom ci bundle source

RAG Service

Retrieval-Augmented Generation with LangChain and ChromaDB

report aibom ci bundle source

Non-AI

Static site with no AI components — demonstrates clean zero-AI evidence

report aibom ci bundle

Validation

Validate any EuConform Evidence Format document against the published schemas using ajv:

npm install ajv ajv-formats

# validate.mjs
import Ajv from "ajv";
import addFormats from "ajv-formats";
import { readFileSync } from "fs";

const ajv = new Ajv({ strict: false });
addFormats(ajv);

const schema = JSON.parse(
  readFileSync("report-v1.schema.json", "utf8")      // or fetch from:
  // https://euconform.eu/schemas/spec/report-v1.schema.json
);

const report = JSON.parse(
  readFileSync(".euconform/euconform.report.json", "utf8")
);

const valid = ajv.validate(schema, report);
if (!valid) console.error(ajv.errors);
else console.log("Valid EuConform report.");

For full artifact-set verification, prefer the built-in CLI verify command instead of validating the manifest alone.

Generate with CLI

The EuConform CLI scans a codebase and writes the EuConform Evidence Format artifacts to .euconform/:

pnpm --filter @euconform/cli build

node packages/cli/dist/index.js scan .

# Output:
#   .euconform/euconform.report.json
#   .euconform/euconform.aibom.json
#   .euconform/euconform.summary.md

# With CI gate:
node packages/cli/dist/index.js scan . --ci github --fail-on high

# Additional output:
#   .euconform/euconform.ci.json
#   .euconform/euconform.ci-summary.md
#   .euconform/euconform.bundle.json

# Create a transport archive:
node packages/cli/dist/index.js scan . --zip true

# Additional output:
#   .euconform/euconform.bundle.zip

For a fast adoption path, try examples/ollama-chatbot or examples/rag-assistant from the repo root before scanning your own project.

Verify bundles

The CLI is the first Stage 2 bundle consumer. It verifies bundle manifests, extracted bundle directories, and ZIP archives without modifying your project.

# Verify a manifest file
node packages/cli/dist/index.js verify .euconform/euconform.bundle.json

# Verify an extracted bundle directory
node packages/cli/dist/index.js verify .euconform/euconform.bundle

# Verify a ZIP archive
node packages/cli/dist/index.js verify .euconform/euconform.bundle.zip

# Escalate warnings to errors for CI
node packages/cli/dist/index.js verify .euconform/euconform.bundle.json --strict --fail-on warnings

Hash and metadata mismatches are warnings by default. Missing required artifacts or an invalid bundle manifest are always errors.

View in Web App

The EuConform web app includes a Scan Viewer that imports the EuConform Evidence Format artifacts directly in the browser — no upload, no server, fully client-side.

1Open the web app and select Import Scan
2Drop your .euconform/ files (report is required, aibom/ci/summary are optional)
3The viewer displays compliance signals, gaps, AI BOM, and CI status

Versioning and compatibility

schemaVersion is the compatibility boundary for every document
Schemas enforce additionalProperties: false — all fields must be explicitly defined
Patch releases do not change document shape
Adding optional fields requires a new schema revision (e.g. report-v1.1.schema.json)
Breaking changes use a new schemaVersion (e.g. euconform.report.v2)

Scope and limitations

The EuConform Evidence Format currently covers Stage 1 evidence documents and the Stage 2 bundle manifest. The following are not part of the current specification:

euconform.eval.v1 — evaluation results and benchmarks (reserved, not yet specified)
Automatic ZIP import in the web viewer
Full prompt histories or training data disclosure
Legally binding classification or certification
A separate npm consumer package (use the schemas directly)

The EuConform Evidence Format produces evidence for human review, not automated legal verdicts. Compliance classification requires human judgment informed by organizational context.