Ten regulated verticals. Sixty open specs.
Each vertical below has six MIT-licensed open specs (Decision Card vault contract · Incident Card · Evidence Bundle compliance · Evidence Bundle bias · Operator audit-stream · Operator regulatory-lifecycle tracker) plus an AGPL-3.0 reference implementation that proves the audit-stream invariants survive a real hash-chained trajectory end-to-end. Readiness scaffolding, not certification. Use the bundles to build a program; do not cite them as attestation.
HIPAA + FDA SaMD + Section 1557
Federal floor: HIPAA Security Rule, FDA SaMD (510(k) / De Novo / PMA + PCCP per Dec 2024 final), Section 1557, IMDRF AE Terminology. Reference impl: HAPI FHIR test server → HIPAA Safe-Harbor vault → hash-chained audit events.
FERPA + COPPA + IDEA
Federal floor: FERPA (34 CFR Part 99), COPPA (16 CFR §312.4), IDEA, Section 504, ESSA, plus 50-state student-data-privacy regimes. Reference impl: under-13 events require verifiable parental consent BEFORE event timestamp.
RESPA + ECOA Reg B + Fair Housing
Federal floor: RESPA, ECOA Reg B (12 CFR §1002.9 30-day notice), Fair Housing Act, HMDA, GLBA Safeguards. Reference impl: UNIVERSAL human-underwriter rule on adverse-action-capable kinds (only Suite vertical with universal-not-scoped rule).
NAIC Model Bulletin + NY DFS CL 7
Federal floor: NAIC AI Model Bulletin (Nov 2023), NY DFS Circular Letter 7, CO SB 21-169, plus state DOI adoptions. Reference impl: 90-day backward-bounded bias-monitoring window, must precede event.
EEOC + ADA + NYC LL 144
Federal floor: EEOC AI Guidance (May 2023), Title VII, ADA, ADEA, GINA, NYC LL 144 (14-day candidate-notice backward window), IL 820 ILCS 42, MD HB 1202. UGESP four-fifths-rule encoded.
CFPB + ECOA + FCRA + BSA/AML
Federal floor: CFPB AI bulletin, OCC/FRB/FDIC joint AI, OCC 2011-12, FRB SR 11-7, ECOA Reg B, FCRA Reg V §604 permissible-purpose, GLBA Safeguards, Section 1071, Section 1033, UDAAP.
OMB M-24-10 + AI Bill of Rights
Federal floor: OMB M-24-10, AI Bill of Rights, EO 14179, NIST AI RMF, Section 508, Privacy Act 1974, FOIA, FedRAMP. Federal AI Use Case Inventory entry IDs surfaced.
ABA Model Rules + privilege
Federal floor: ABA Model Rules 1.1c8, 1.6, 3.3, 5.3, 5.5, attorney-client privilege, work-product doctrine FRCP 26(b)(3), state bar opinions, Mata v. Avianca court orders. Reference impl: three simultaneous invariants — privilege-tier consistency + engagement-letter binding + citation-validation before production-ready.
NERC CIP + TSA SD + FERC
Federal floor: NERC CIP-002 through CIP-014, TSA SD-2021-02C, DOE EO 14028, FERC Order 2222. Reference impl: NERC CIP-008 1-hour forward cyber-incident reporting clock (shortest in the Suite catalog).
DFARS + CMMC 2.0 + ITAR + EAR
Federal floor: DFARS 252.204-7012/7019/7020/7021 (72-hour cyber-incident clock), CMMC 2.0 L2/L3, NIST SP 800-171/172, ITAR (22 CFR 120-130), EAR (15 CFR 730-774), NISPOM 32 CFR 117. Reference impl: 3-axis CUI vault contract (cui_categorization × export_control_status × foreign_person_access_restriction).
The six canonical shapes
Every vertical 6-pack ships exactly these six artifact shapes. Same shape across verticals; different per-vertical regulatory basis, data categories, and invariants. Pick one vertical's pack, you get six pieces that compose with each other and with the buyer's existing controls.