EU AI Act Art. 50 · enforcement in · PLD 2024/2853 Art. 10 · rebuttable presumption · DORA Art. 19-20 · in force since 2025-01-17
APOHARA Run the demo MIT / Apache-2.0

Apohara TrustLayer · v3.0 + W7/W8/W9 · 2026

Court-grade cryptographic
certificates for AI.

Forensic receipts your AI evidence stands up in court — and in audit.

TrustLayer produces COSE_Sign1 receipts with Ed25519 + ML-DSA-65 hybrid signatures, RFC 3161 qualified timestamps from Actalis Italia, and SCITT anchors — so your AI evidence stands up in court and in audit. EU AI Act Art. 50 + DORA + PLD 2024/2853 + ISO 42001.

EU AI Act · Art 50 DORA · Art 19-20 PLD 2024/2853 · Art 10 FIPS 204 · ML-DSA-65 COSE_Sign1 · RFC 9052 36 MCP · tools MIT / Apache-2.0
1,287tests passing1,137 Rust + 119 tl-evidence + 202 Python + 21 TS SDK + 16 Go SDK · 0 failures
36MCP toolstl-mcp-server · stdio JSON-RPC · Claude Code / Cursor / Codex
1,952BML-DSA-65 public keyFIPS 204 post-quantum hybrid · coset 0.4.2 pinned
3,309Bsignature sizeCOSE_Sign1 envelope · Ed25519 (64B) + ML-DSA-65 (3,309B) hybrid

The 4-layer compliance model.

Every disclosure reports 4 independent layers per EU AI Act Art. 50 + Code of Practice §3.2. The rollup is most-restrictive-wins — a NonCompliant in any layer forces the global rollup. We surface NotApplicable and Partial honestly; we never false-positive green.

EU AI Act Art. 50(1)(a)

Visible disclosure

User-facing text label that marks AI-generated content. Covereddisclosure_text + disclosure_html_widget.

● Compliant
EU AI Act Art. 50(2)

Machine-readable

COSE_Sign1 envelope (RFC 9052) + RFC 3161 qualified timestamp from Actalis Italia (eIDAS). Full CMS signature verification per RFC 5652 §5.6.

● Compliant
EU AI Act Art. 50(3)

Watermark

Pure-Python Kirchenbauer z-test detector (z > 4.0) for text. Covered for text; Partial for image / audio / video (planned v1.1.1).

▲ Partial
Retention

Append-only audit

INSERT-only tables: disclosure_records + tool_execution_receipts + policy_decisions + key_rotation_events. 3y EU AI Act · 5y DORA.

● Compliant
Rollup · most-restrictive-wins Partial · watermark out of scope for image/audio/video A NonCompliant in any layer forces the global rollup. We never false-positive green. Honest disclosure via the disclaimers field on every API response.

The €15M question.

Three regulations you are already subject to. The deadlines are not negotiable; the evidence you keep is.

EU AI Act · Regulation 2024/1689

Art. 50 transparency

€15Mor 3% global turnover

Fines for AI-generated content without machine-readable provenance or visible disclosure. Applies to deployers and providers in the EU market.

Deadline · 2 August 2026
PLD · Directive 2024/2853

Art. 10 evidence pack

Rebuttablepresumption of defect

Shifts the burden of proof to the plaintiff when a seller holds a verifiable evidence pack. Without it, defect is presumed — under PLD Art. 10.

Deadline · 9 December 2026
DORA · Regulation 2022/2554

Art. 19-20 ICT incident log

22,000+EU financial entities

Tamper-evident ICT incident logs required for credit institutions, insurers, and investment firms. Operational-resilience fines are layered on top.

In force since · 17 January 2025

Try it. Right now.

Three tabs mirror the production endpoints. Client-side only — no backend, no network, no secrets.

Client-side simulation · no backend · no network. Production uses real Actalis Italia RFC 3161 + real SCITT + real WASM SDK (tl-wasm).

$ POST /v1/notarize · client-side simulation
4-step pipeline · ~1.7s total
  1. Computing BLAKE3 content hash…
  2. Signing with COSE_Sign1 · Ed25519 + ML-DSA-65 hybrid…
  3. Timestamping via RFC 3161 (Actalis Italia · eIDAS)…
  4. Generating 4-layer compliance rollup…
cert_id · Partial · Watermark out of scope
content_hash
tsa_provider
Actalis Italia (eIDAS)
scitt_entry_id
issued_at
tenant
demo · apohara

4-layer compliance rollup

  • Visible disclosure (Art. 50(1)(a))✓ Compliant
  • Machine-readable (Art. 50(2))✓ Compliant
  • Watermark (Art. 50(3))▲ Partial · text only
  • Retention (3y EU / 5y DORA)✓ Compliant
PDF receipt ↗ Verify URL ↗
GET /verify/{cert_id} · 4-layer disclosure table
cert_id · ▲ Partial · Watermark text-only
LayerEvidenceStatus
Visible disclosuredisclosure_text + html_widget presentPASS
Machine-readableCOSE_Sign1 + RFC 3161 verified (Actalis Italia)PASS
WatermarkKirchenbauer z-test (z > 4.0) — text onlyWARN
RetentionAppend-only chain · 3y EU / 5y DORAPASS
rollup · most-restrictive-wins verify_url · https://trustlayer.apohara.io/verify/—
Python · apohara-trustlayerPyPI · v3.0
# pip install apohara-trustlayer
from apohara_trustlayer import Notary

notary = Notary(api_key="…")
cert = notary.notarize(
    content="Report generated by GPT-4o on 2026-06-27",
    ai_system_id="gpt-4o@openai",
    tenant="acme",
)
print(cert.cert_id, cert.content_hash)
TypeScript · @apohara/trustlayernpm · v3.0
// npm i @apohara/trustlayer
import { Notary } from "@apohara/trustlayer";

const notary = new Notary({ apiKey: process.env.TL_KEY! });
const cert = await notary.notarize({
  content: "Report generated by GPT-4o on 2026-06-27",
  aiSystemId: "gpt-4o@openai",
  tenant: "acme",
});
console.log(cert.certId, cert.contentHash);
Go · apohara-trustlayer/sdk/gogo.dev · v3.0
// go get github.com/SuarezPM/apohara-trustlayer/sdk/go
package main

import (
    "context"
    "log"
    "github.com/SuarezPM/apohara-trustlayer/sdk/go"
)

func main() {
    n := trustlayer.New("…")
    cert, err := n.Notarize(context.Background(), trustlayer.NotarizeRequest{
        Content:    "Report generated by GPT-4o on 2026-06-27",
        AISystemID: "gpt-4o@openai",
        Tenant:     "acme",
    })
    if err != nil { log.Fatal(err) }
    log.Println(cert.CertID, cert.ContentHash)
}

Endpoints, RFCs, and what we shipped.

Five endpoints, eight standards, one frozen smoke-test artifact you can verify offline.

Endpoints

POST /v1/notarizeCOSE_Sign1 + RFC 3161
GET /verify/{cert_id}Public · HTML
GET /v1/verify/{cert_id}Public · JSON L1
POST /v1/pld/rebuttalPLD Art. 10 pack
GET /v1/dora/evidence-packDORA 7/7 checks

Standards · RFCs · NIST · ETSI

RFC 9052 · COSE_Sign1coset 0.4.2
RFC 3161 · TSAActalis Italia · eIDAS
RFC 9943 · SCITTscitt-cose 0.1.1
RFC 8392 · CWTCBOR Web Tokens
RFC 5652 · CMS§5.6 verify
RFC 9162 · MerkleTransparency logs
FIPS 204 · ML-DSA-65NIST PQC
ETSI EN 319 421/422Qualified TSP
$ audit_artifacts/smoke_test/v1.1.x_output.txt · frozen artifact · sha256 verified
# Frozen smoke-test artifact — openssl ts -verify + cargo test output
# Audit-trail drift detection: sha256 of v1.1.x_output.txt must match.
# Regression asserted by tests/test_smoke_test_artifact.py

artifact: audit_artifacts/smoke_test/v1.1.x_output.txt
sha256:    c693f2f95fddf3c7aceb9ff42a489a17d4a34311e9350f3eee86dd0e26a35b88
openssl:   Verification: OK  # RFC 3161 + RFC 5652 §5.6 chain re-walked
cargo:     test result: ok. 1287 passed; 0 failed   # 1,137 Rust + 119 tl-evidence + 21 TS + 16 Go
pytest:    202 passed in 28.4s                          # Python control plane

# HONEST DISCLOSURES (per AC-22): the artifact names every synthetic
# / demo-grade part. We never false-positive green.

Pricing. No invented logos.

Per README W5. Real numbers, not a sales deck.

// open source · self-host

Free

$0forever

MIT / Apache-2.0 dual-license. All 5 crates + 36 MCP tools + 4-layer compliance + SCITT client. Self-host the control plane; bring your own RFC 3161 QTSP.

  • apohara-trustlayer (Rust) + @apohara/trustlayer (TS) + Go SDK
  • 4-layer compliance model · most-restrictive-wins
  • Self-hostable control plane
  • Community Discord + GitHub issues
// hosted · per-tenant

Pro

$199/month

Hosted control plane · multi-tenant · managed SCITT transparency log · Actalis Italia RFC 3161 QTSP included. Idempotent on (content_hash, submitted_by).

  • 5,000 notarizations / month
  • Public verify endpoints (HTML + JSON L1)
  • Actalis Italia RFC 3161 + SCITT included
  • Email support · 99.9% SLA
// enterprise · DORA / regulated

Enterprise + DORA Pack

€500DORA Pack add-on

DORA Art. 19-20 evidence pack (7/7 checks all Compliant) · HSM + QES adapters · on-prem deployment · dedicated Slack channel. SSO + SCIM included.

  • Unlimited notarizations
  • DORA evidence pack · 7/7 checks
  • AWS KMS / Thales PKCS#11 / HSM adapters
  • Direct Slack channel · 24h response

Design partner program · 2026-07-10 application deadline

We need 5 EU-regulated design partners before Art. 50 enforcement.

EU financial services subject to DORA Art. 9-13 · AI providers subject to EU AI Act Art. 50(2) · product makers subject to PLD 2024/2853 · ISO/IEC 42001:2023 AIMS aspirants. 6 months free, full production stack, direct Slack channel with Pablo.

Apply · pablo@apohara.org Read the brief ↗