Skip to main content

Products

BuilderDesignerDiscoveryBusiness(Coming Soon)
DocsPricingGet Started

Compliance

Jorv Builder is Article 12-ready by default. The compliance primitives — PROV chain, WORM-style audit, Merkle checkpoints, two-key merge, TMF export — work regardless of which deadline ends up applying.

This page is the public reference. For the marketing pitch see /builder/compliance or /builder/enterprise for the regulated-industry tier.

What we mean by "Article 12-ready"

EU AI Act Article 12 (record-keeping for high-risk AI systems) is moving. The final requirements may change. What stays stable across drafts:

  • Automatic logging of relevant events during operation
  • Traceability of decisions through the system
  • Retention for an auditable period
  • Attribution to the operator/user responsible

Jorv writes a PROV chain that covers all four — typed nodes for every Brain action, cryptographic continuity, configurable retention, human attribution at every approval gate.

The PROV chain

Every action lands as a typed PROV node:

  • brainstorm — A brainstorm artefact (request + approaches + chosen path)
  • plan — A drone-army plan or a direct-build plan
  • edit — A code edit (file path, before/after hash, diff)
  • tool-call — A tool invocation (name, inputs, outputs, duration)
  • test-run — A test execution (suite, result, output)
  • audit-finding — An Expert Audit finding (severity, category, evidence)
  • approval — A human approval (user, action, target, timestamp)
  • merge — A git merge (branch, SHA, approver(s))
  • deploy — A deployment recipe execution (target, version, status)

Nodes link by SHA-256 hash to their parent, forming an unbroken chain back to the project's first commit.

Audit storage tiers

TierStorage
Solo / TeamOn-device SQLite, retained for the project lifetime
EnterpriseYour corporate WORM bucket (S3 Object Lock / Azure Blob Immutable / GCS Bucket Lock)

Enterprise tier additionally Merkle-roots the daily checkpoint and publishes the root externally, so the chain can be verified end-to-end without trusting Jorv.

Two-key merge

On regulated branches (configurable via .orbit/regulated.yml), a merge requires two distinct human approvers with separate audit identities. The Brain can propose; only humans with keys can land.

This separates the "engineer who wrote it" from the "approver who landed it" — a hard requirement in many regulated environments.

TMF export (Enterprise tier)

The Trial Master File (TMF) export bundles the PROV chain into a TMF-shaped package: PROV nodes grouped by study/asset/release, with linked artefacts (brainstorm docs, test results, audit findings, approvals, dispositions). Drop straight into your eTMF system.

Standards supported:

  • DIA TMF Reference Model 3.3
  • eTMF essential-documents structure

Brainstorm-gated merges

Default-on. A feature branch cannot merge without a referenced Brainstorm artefact. The Brainstorm is the evidence of considered design — the "why" you can show an auditor months later.

Override is logged in the PROV chain as an explicit merge-without-brainstorm event with the human's reason.

What's included by tier

See the tier matrix at /builder/compliance.

Further reading