OpenChainGraph Suite · wave 25 · compliance_mandate

CRA Product Conformance (EU CRA Annex I + Art. 14)

Validate an SPDX SBOM against the EU CRA Annex I machine-readable SBOM requirement (art-138) → check Annex I essential requirements: SBOM machine-readable, top-level dep coverage, vulnerability handling policy, secure-by-default, and conformity route (art-139) → assess CRA Article 14 vulnerability reporting readiness: 24-hour early warning, 72-hour notification, CSIRT/ENISA endpoint (art-140). Art. 14 obligations apply 11 Sep 2026. Zero network.

OpenChainGraph · 3 Steps compliance mandate EU CRA 2024/2847 Art.14 deadline 11 Sep 2026 SPDX · Annex I · Art.14 W3C VC §13.11 Hash-Anchored §4 chain_depth:3 · Zero PII
Chain Topology — CRA Product Conformance (art-138→139→140)
art-138 SPDX SBOM Validator art-139 CRA Annex I Completeness art-140 CRA Art.14 Vuln Readiness ⊣
§4 Execution Hash · Chain Definition Anchor
execution_hash:computing…
Chain Stages · 3 Steps
1ROOT · D0node
SPDX SBOM Validator (EU CRA Annex I) art-138
SPDX SBOM validity verdict feeds Annex I completeness checker
MCP Call · validate_spdx_sbom
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "validate_spdx_sbom",
    "arguments": {
      "sbom": {
        "spdxVersion": "SPDX-2.3",
        "SPDXID": "SPDXRef-DOCUMENT",
        "packages": [
          {
            "name": "express",
            "versionInfo": "4.18.2",
            "downloadLocation": "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
          }
        ],
        "relationships": [
          {
            "spdxElementId": "SPDXRef-DOCUMENT",
            "relationshipType": "DESCRIBES",
            "relatedSpdxElement": "SPDXRef-Package-express"
          }
        ]
      }
    }
  },
  "id": 1
}
https://mcp.ainumbers.co/mcp
2MIDDLE · D1node
CRA Annex I Completeness Checker art-139
Annex I gaps and conformity route feed vulnerability reporting readiness
MCP Call · check_cra_annex1_completeness
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "check_cra_annex1_completeness",
    "arguments": {
      "sbom_present": true,
      "sbom_machine_readable": true,
      "top_level_deps_covered": true,
      "vuln_handling_policy_present": true,
      "secure_by_default": true,
      "conformity_route": "self_assessment"
    }
  },
  "id": 2
}
https://mcp.ainumbers.co/mcp
3TERMINAL · D2node
CRA Vulnerability Reporting Readiness (Art. 14) art-140
Article 14 readiness emits full CRA product conformance verdict — final stage
MCP Call · assess_cra_vuln_reporting_readiness
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "assess_cra_vuln_reporting_readiness",
    "arguments": {
      "actively_exploited_detection": true,
      "early_warning_24h_process": true,
      "notification_72h_process": true,
      "csirt_enisa_endpoint_configured": true,
      "coordinated_disclosure_policy": true
    }
  },
  "id": 3
}
https://mcp.ainumbers.co/mcp
Export Artifacts
Download the §4 chain definition artifact or the §13.11 W3C VC view. Art-139 and art-140 individually support PDF export for compliance documentation.