Extended from v0.6.0. This revision adds two new clusters — ⑩ Software & Cyber Supply Chain and ⑪ Trade, Customs & Logistics — plus card c8-6 (Astrophysical Evidence Ledger) and the ApexLogics sister-site cross-link on c7-6. All counts are now DOM-derived. Total: concepts across clusters, up from 38 across 7. Cluster and readiness filters are both available. References to execution_hash, parent_hashes, policy_parameters, and chain_depth are standard OCG artifact fields — see the glossary below.
The traditional Web3/blockchain mindset asks: "How do we prove this is rare, and who owns it?"
The OpenChainGraph mindset asks: "How do we prove how this complex state came into existence — and what can we build on top of that verified history?"
Treating execution_hash not as a receipt of ownership but as a reproducible record of transformation opens OCG as something closer to a creative and operational physics engine than a scarcity mechanism. This applies in compliance contexts, creative ones, and — critically — in the payments, scientific, and identity infrastructure that the AINumbers toolchain was built to serve.
execution_hash — deterministic SHA-256 over inputs + outputsparent_hashes — lineage / DAG edges between artifactspolicy_parameters — the inputs a node was computed fromchain_depth — distance from a root artifactaudit_signatures / compliance_flags — embedded attestationsoutput_payload — the artifact's computed result objectmandate_type — AP2 enum classifying the policy envelope typedataVersion — semver for input schema, enabling deterministic replaychaingraph_export:pdf / :vc — signed render profileschaingraph_export:jsonld — linked-data export with W3C JSON-LD contextx-chaingraph — cross-vendor chaining capabilitytools/call + verify_execution_hash — agent-callable verificationCluster overview
Generative Art & Visuals
Because execution_hash is a deterministic output of policy_parameters and output_payload, it is a ready-made seed for procedural generation. And because parent_hashes form a DAG, the full evolution of a creative work is visible without a central database.
Hash-Seeded Generative Art & Audio
Instead of a random-number generator driving the artwork, the chain itself becomes the source of controlled randomness. Map segments of the execution_hash hex string directly to color palettes, geometry, particle systems, camera movement, or synth parameters. Because the same artifact always produces the same hash, the same piece can always be regenerated exactly — change one policy_parameter and you get a deterministically different output, not a random one. A "calm, complex, organic" input always renders the same flowing geometric landscape.
Chaingraph Sonification
Map the topology of a chaingraph directly to music. chain_depth sets the bassline; the number of parent_hashes at a node creates harmonic complexity; the hex values of execution_hash drive melody or synth parameters. A simple linear decision sounds like a clean main theme — a branching, multi-party negotiation (an AP2/ACP agentic payment flow, for instance) sounds like a dense, evolving harmony. The music literally follows the graph structure, not an artist's composition choices. The richer the financial workflow, the richer the piece.
3D Data Sculpting & Typography
Map the nested JSON structure of an OCG artifact — its policy_parameters, compliance_flags, and audit_signatures — into 3D meshes or typographic layouts. A complex incident cascade (a DORA ICT failure propagating through dependent systems) could render as a jagged, branching sculpture, where each fracture point corresponds to an actual node in the underlying chain rather than an artist's stylistic choice. The artifact is simultaneously data and art — and the two are inseparable.
Remix Lineage & "Remix DNA"
An artist creates a base visual as a root node. Anyone can remix it by altering its policy_parameters to generate a child artifact — and the gallery doesn't just show the art, it renders the actual DAG of the work's evolution. With the in-toto envelope and Ed25519 signing layered in, each remix carries cryptographic proof of who produced it, conformant to W3C PROV-DM. A remix isn't just "similar" to its parent — it is mathematically connected, and that connection is permanently verifiable.
AI-Generated Content Watermarking New
The C2PA standard for content credentials is gaining traction in cameras and image platforms, but the provenance model is centralised — it trusts the camera maker or platform's signing key. An OCG alternative encodes the generative model's version, prompt hash, and sampling parameters into policy_parameters, binds them to the rendered output via execution_hash, and exports via chaingraph_export:jsonld for JSON-LD ingest by existing C2PA tooling. The watermark isn't embedded in pixels (and therefore removable) — it's the hash relationship between the generation parameters and the output, independently verifiable by anyone with the spec. Connects to any AINumbers tool that outputs an AP2 JSON envelope.
Fashion & Material Design Lineage New
Luxury goods and sustainable fashion brands face pressure to prove supply-chain claims — that a fabric was sourced from a certified mill, dyed with a specific process, and assembled under monitored labor conditions. Each production stage becomes an OCG node: the fiber origin is the root, each processing step a child, and the final product the leaf artifact. The dataVersion field pins the certification standard used at each node, enabling multi-year traceability even as standards evolve. Retailers can expose the chain via a product QR code — the customer sees the lineage, not just a brand claim. EU Digital Product Passport requirements under the Ecodesign Regulation make this alignment increasingly regulatory rather than optional.
Gaming & Interactive
OCG artifacts can act as serverless, tamper-proof save files or world states — no central server needs to decide whether a player actually earned their progress. The chain proves it, and anyone can verify it independently.
ARG Puzzle Gates
Solving a puzzle in an alternate reality game emits an OCG artifact. The next puzzle node explicitly requires the previous artifact's execution_hash as a valid_parent_hash input — if the prior stage wasn't solved correctly, the next one simply won't unlock. Because tools are MCP-callable, an AI game master can read a player's latest artifact and generate the next narrative clue from their exact cryptographic state, enabling massive, serverless ARGs and escape rooms with no central puzzle server and no database of completed stages to maintain.
Proof-of-Play & Anti-Cheat Verification
Instead of submitting a video file to prove a speedrun or competitive result, the game engine emits an OCG artifact at every checkpoint — start, each lap or milestone, finish. The final submission is a single chaingraph where each node cryptographically validates the one before it. Video-splicing or state manipulation becomes mathematically impossible to conceal, because breaking the sequence breaks the execution_hash chain. Applies directly to esports, speedrunning, and competitive AI benchmark submissions — anywhere the integrity of "how did this result happen" matters.
Regulatory Roguelikes & Compliance Dungeons
Gamify the existing AINumbers tool catalog directly: play as a compliance officer or autonomous agent navigating a procedurally generated "dungeon" where each room is a real regulatory check — dodge an AML typology, solve a Basel III RWA puzzle, survive a DORA ICT cascade as the boss fight. Your path through the dungeon generates a verifiable chaingraph. Because the underlying regulatory logic already lives in the tool suite, this is closer to a content and UI layer over real infrastructure than a net-new build. Training value for compliance teams is genuine.
Trustless Asynchronous Tabletop RPGs
Asynchronous tabletop role-playing typically needs a neutral third party to adjudicate dice rolls and stat checks. OCG can replace that referee entirely: base stats, inventory modifiers, and dice-seed values are bundled into policy_parameters, the tool resolves the outcome client-side, and any player can independently re-verify the result against the public specification — no GM required to settle disputes. The chain is the rulebook, and every ruling is permanently auditable.
Chaingraph-Based Virtual Worlds
Represent a persistent virtual world — a city simulation, a shared sandbox — as a continuously evolving graph where nodes are locations, characters, events, and economic shocks. A city's founding, a population shift, and a political event each become branches off the last verified state. Instead of storing "a world state," the system stores how the world became that state — and any participant can re-derive the current state from the full chain. The hard problem is sustaining a coherent, multi-party world over time, which pushes this beyond a single-session artifact.
Narrative & Story
parent_hashes can enforce narrative canon the way they enforce data lineage elsewhere — you literally cannot publish a sequel unless your contribution correctly references the chapter it builds on. The chain replaces the editor.
Branching Collaborative Fiction ("Exquisite Corpse")
Writers or role-players contribute to a shared, branching narrative universe where every new chapter or plot twist is an OCG node cryptographically linked to its predecessor via parent_hashes. This automatically builds a W3C PROV-DM–conformant timeline tree of the story's evolution. Timeline continuity is mathematically enforced rather than editorially policed — there is no central creative gatekeeper deciding what's canon. The hash chain decides it.
Living Comics & Interactive Books
A single author defines the branch points; each reader's path through the story generates their own chain, carrying the creation parameters and choices that led there. Where the collaborative-fiction concept above is about multi-author canon enforcement, this is about giving each reader a verifiable, personal — and fully regeneratable — version of "their" story. The reader's artifact is their own: a unique, unforgeable record of exactly how they navigated the narrative.
Oral History & Community Archives
Community oral history projects suffer from fragmented recordings, disputed attributions, and gradual version drift as transcripts are edited over time. Each recorded testimony becomes a root OCG node; subsequent editorial decisions — transcription, translation, excerpting — become explicit child nodes with the editor's identity in policy_parameters. The result is an archive where every version of a story is preserved and where the path from raw recording to published excerpt is permanently visible. Oral history stops being a static document and becomes a living, auditable lineage.
Game Lore Canon Engine New
Game studios managing expansive universes — with novels, comics, animated series, and expansions produced by different teams — constantly battle canon drift. Each official lore piece becomes an OCG root or branch node; a new piece of supplementary content must declare its parent_hashes pointing to the in-universe artifacts it derives from. If a writer in the expanded universe contradicts an established game event, the chain structure surfaces the inconsistency cryptographically rather than through editorial review. Studios can also expose the canon graph as a public API, letting fan communities build on verified lore rather than contested wikis. Connects directly to the Branching Collaborative Fiction concept above but applies the same mechanics to top-down IP governance rather than bottom-up collaboration.
Investigative Journalism Source Chains New
Long-form investigative journalism involves layered source verification: a tip leads to a document, a document leads to an interview, an interview leads to corroboration from a second source. Each step is typically captured in a reporter's notes — unsearchable, unverifiable by readers or editors reviewing the work years later. Encoding each step as an OCG node, with source identifiers hashed (not stored) in policy_parameters and the evidentiary claim in output_payload, creates a verifiable reasoning chain for published claims. Editors can check the chain's structural integrity without accessing the source's identity. Whistleblower protection is preserved because the hash reveals nothing about the source — only that a source at that chain position existed and was documented. Distinct from the Journalism & Media entry in Cluster ⑦, which focuses on media asset authentication rather than reasoning chains.
AI Agents & Memory
With agentic payment protocols (AP2, ACP, x402) already producing chaingraphs, OCG is a natural fit as the visible "memory" or integrity layer for autonomous agents — replacing a black-box decision log with something independently verifiable by any party with the spec.
AI Agent Memory & Personality Trees
Instead of a black-box decision log, an agent's memory is a visible, verifiable chaingraph of its past decisions, rule changes, and interactions. Each observation, reasoning step, action, and result becomes a node. You can audit why an agent made a particular choice by walking its parent_hashes back to the core policy_parameters it was operating under — turning "the model decided X" into a traceable, replayable history. As the agent's rules evolve, the evolution is captured in the chain rather than overwritten.
Visualizing Agentic Commerce
A real-time visualizer for machine-to-machine economies: as agents negotiate micro-payments via x402 or AP2, render the resulting chaingraphs as a growing, branching structure — a light show, a coral reef, whatever metaphor fits — where every branch is a verified transaction chain rather than a decorative animation. The visual is only as interesting as the actual transaction volume behind it, which is the real dependency here. The OCG layer is buildable; the agentic payment volume is what remains exploratory.
Multi-Agent Orchestration Integrity
Automated agent networks are vulnerable to prompt injection, tool poisoning, and state drift. Over MCP, an agent calls an OCG tool via tools/call, sends its policy parameters, and receives a full artifact envelope back — then calls verify_execution_hash to confirm the data's integrity before acting on it. If a malicious prompt tries to inject altered data downstream, the execution hash breaks immediately and the chain refuses to validate. This is close to how the AINumbers MCP layer and AP2 manifests already operate today — the orchestration integrity use case is an extension, not a redesign.
AI Model Benchmark Provenance
Published AI benchmark results are routinely disputed because the exact evaluation setup — dataset version, sampling parameters, temperature, prompt template — is rarely captured with enough precision to reproduce. Bundling the full evaluation configuration into policy_parameters and the results into output_payload produces a tamper-evident artifact that any third party can rerun locally to independently verify the reported score. Benchmark leaderboards anchored to OCG artifacts become verifiable claims rather than self-reported numbers.
RAG Source Provenance & Hallucination Audit New
Retrieval-augmented generation systems pull documents from a knowledge base, feed them to a model, and produce an answer — but the relationship between retrieved chunks and generated claims is typically invisible and unverifiable. Wrapping each retrieval-and-generation step in an OCG node lets you encode which document chunks (identified by content hash, not path) contributed to which claim, their relevance scores, and the model's generation parameters in policy_parameters. The output claim goes into output_payload. Downstream fact-checkers or compliance reviewers can trace every sentence of a generated report back to its retrieval root. If a claimed source doesn't appear in any parent_hashes, the claim is unanchored — a structural proxy for hallucination detection that doesn't require access to model internals. Connects to the AP2 MCP Policy Validator (T320) as a verification endpoint.
Model Fine-tuning Lineage & Dataset Provenance New
When a foundation model is fine-tuned, critical provenance is routinely lost: which base checkpoint was used, which dataset version, what hyperparameter configuration, which safety filters were applied. SLSA supply-chain attestations address the build process, but they don't capture the semantic lineage of the resulting model's behavior. An OCG chain from base model → curated dataset artifact → fine-tuning run → evaluation result → deployed checkpoint creates an auditable lineage that regulators (EU AI Act Article 13 documentation requirements) and enterprise buyers increasingly demand. The SLSA attestation primitive links the build artifact to the OCG chain; dataVersion pins the dataset schema used at each training stage. The model weights themselves are too large for client-side processing, making this necessarily a metadata-chain use case rather than a full client-side execution.
Physical Installations
Real-world input — movement, touch, location — can feed policy_parameters directly, turning a physical space into a live, growing OCG network rather than a static install. The hardware is the dependency; the OCG layer is ready.
Interactive Museum & Spatial Installations
Visitors move through a physical space where anonymized movement, touch, or timing data becomes policy_parameters, and the installation projects a unique visual or audio landscape based on the resulting execution_hash. As more visitors interact, the space becomes a live, growing OCG network — every visitor a new child node, the artwork itself a continuously evolving graph. The main blocker is sensor and projection hardware coordination, not the OCG layer itself.
Cryptographic Geocaching & Digital Time Capsules
Physical locations each hold a piece of a policy_parameters seed — a QR code containing a fragment. Once a user finds and combines every piece in a browser-based OCG tool, it generates a final artifact: a verifiable piece of digital art, or a message that mathematically proves they physically visited every coordinate. The verification logic is buildable today; the limiting factor is designing, placing, and maintaining the physical pieces across real-world locations.
Live Performance & Events Verification New
Concert, theater, and sporting venues increasingly sell "proof of attendance" tokens — but they rely on a central issuer to be meaningful. An OCG approach generates a root artifact at the moment a ticketed gate is scanned, with anonymized seat coordinates and a timestamped venue signature in policy_parameters. The attendee's phone computes the artifact client-side; the chain proves presence without the venue retaining any personal data. Setlist variations, substitutions, and cancellations can be recorded as sibling nodes off the event root, creating a permanent, independently verifiable record of what actually happened at that performance — useful for insurance claims, contractual performance disputes, and genuine fan archives. Hardware dependency: venue gate systems capable of emitting signed timestamps.
Smart City Sensor Networks & Environmental Accountability New
Municipal air quality sensors, flood gauges, and noise monitors generate continuous data streams that are used in regulatory enforcement and public health decisions — but the integrity of those streams is almost never independently verifiable. Each sensor reading becomes an OCG node with device identity, calibration metadata, and environmental reading in policy_parameters, and the computed alert or compliance status in output_payload. A downstream enforcement action references the sensor artifact's execution_hash, creating a tamper-evident chain from raw measurement to regulatory outcome. If the city disputes a pollution enforcement notice, the sensor data chain is the independent evidence. The OCG layer is software-complete; the dependency is sensor firmware capable of producing signed attestation payloads at the edge. Conceptually adjacent to the Energy Grid & Carbon Markets entry in Cluster ⑦.
Payments & Financial Infrastructure Core cluster
This is where OCG connects most directly to the AINumbers toolchain. The payment infrastructure space — A2A rails, ISO 20022 messages, treasury operations, FX hedging, mandate lifecycle — generates exactly the kind of multi-step, multi-party decisions that OCG was designed to make auditable. Each concept below maps to one or more live tools in the suite, meaning the logic layer already exists and OCG is the provenance wrapper.
A2A Rail Decision Provenance
When a payment operations team selects FedNow over RTP or ACH over SEPA, that routing decision is typically captured in an email thread or a Slack message. Wrapping the decision in an OCG artifact — with the evaluated criteria, rail availability data, and the chosen output bundled into policy_parameters and output_payload — produces a permanent, auditable record of why that rail was chosen at that moment. Links directly to Tool 82 (A2A Rail Optimization Command Center) and Tool 78 (Smart Routing Advisor).
AP2 Mandate Audit Chain
Variable Recurring Payment mandates have a lifecycle: created, modified, suspended, revoked. Each state transition is a candidate OCG node — with the authorizing party, timestamp, and parameters in policy_parameters, and the resulting mandate state in output_payload. The full chain is an authoritative, tamper-evident lifecycle record that satisfies PSD3 / UK Open Banking audit requirements without a central ledger. The mandate_type field classifies each node within the AP2 enum, enabling automated downstream validation. Connects directly to Tool 11 (VRP Mandate Builder) and the AP2 schema export standard.
ISO 20022 Message Lineage
An ISO 20022 pacs.008 credit transfer doesn't arrive in isolation — it was preceded by a pain.001 instruction, may trigger a camt.053 statement, and might be corrected by a camt.056 recall. Treating each message as an OCG node with the prior message's execution_hash in parent_hashes produces a verifiable message family chain. Reconciliation and investigation teams can trace a payment's full lineage — from originating instruction to final settlement statement — without manual cross-referencing. Links to Tools 02, 77, 98, and 101.
FX Hedge Execution Chain
A corporate treasury team hedging a cross-border corridor position makes a sequence of decisions: corridor exposure assessment, instrument selection, strike calculation, execution. Each step depends on the one before it — and under EMIR / Dodd-Frank, all of it needs an audit trail. Wrapping each decision node in an OCG artifact with the prior step's hash in parent_hashes produces an immutable chain from exposure identification to executed hedge, with every parameter recorded. Links directly to Tool 76 (Cross-Border FX Hedge Optimizer).
Reconciliation Failure Evidence Package
When an A2A payment fails to reconcile, operations teams need to assemble an evidence package: the original transaction data, the exception log, the investigation steps, and the resolution. Each step in this workflow can be an OCG node, with compliance_flags tracking open versus resolved status and parent_hashes linking the evidence chain. The final artifact is a court-ready, tamper-evident package that documents both the failure and the resolution methodology. Links to Tools 09, 20, and 40.
Treasury Decision Memo Chain
Treasury investment policy decisions — liquidity allocation, counterparty limits, duration targets — require documented governance trails under Basel III and DORA. Rather than a Word document stored on a SharePoint drive, each treasury decision is an OCG artifact linking its inputs (policy_parameters: current liquidity position, risk appetite, market data) to its output (the decision) to the prior decision it supersedes (parent_hashes). The chain is the audit log; the CFO can sign it with Ed25519. Links to Tools 83 and 42.
Cross-Border CBDC Interop Ledger
Multi-CBDC interoperability projects (mBridge, Nexus, Project Agorá) require participating central banks to agree on a common transaction record that no single institution controls. Each cross-border settlement step — lock, convert, transfer, release — can be an OCG node whose execution_hash serves as the shared reference. Because computation is deterministic and client-side, each central bank can independently verify settlement finality without trusting the other's infrastructure. Links conceptually to Tool 53 (CBDC Architecture Comparator) and Tool 58.
Stablecoin Reserve Attestation Chain
Stablecoin issuers are under increasing regulatory pressure to prove — not just assert — that reserve assets back their outstanding supply. A daily attestation process produces an OCG artifact: reserve composition in policy_parameters, peg health metrics in output_payload, and the prior day's attestation hash in parent_hashes. Any holder can verify the current attestation independently and trace the chain back to issuance. Misrepresenting reserves becomes mathematically detectable rather than a legal matter. Links to Tool 75 (Stablecoin Reserve & Peg Health Auditor).
Regulated Verticals
Twelve industry verticals where OCG's zero-egress, client-side verification model maps directly onto an existing compliance or audit requirement — no creative reframing needed, just the standard applied to a new domain.
Healthcare & Pharma — Clinical Trials & Chart Lineage
Tamper-evident electronic health records and clinical research trails require extreme privacy by design. Lab processing data and patient vital readouts act as immutable root nodes at chain_depth 0; a clinical AI tool consumes that metadata, references its hash, and outputs a treatment protocol as a child node. Because all computation happens in-browser via WebCrypto, FDA auditors can verify clinical trial data was not retroactively altered without patient data ever leaving the hospital network. The privacy model is the right one; clinical certification is the long-path dependency.
LegalTech — Smart Contract Lifecycle Auditing
Legal teams currently lose hours manually verifying chain of custody for corporate resolutions and contract amendments. A base agreement generates a baseline execution hash; every subsequent addendum or signed amendment becomes a downstream child node explicitly pointing back to it. Legal ops can export the full chain via the chaingraph_export:pdf profile — a signed, printable render with the execution hash embedded directly in the document and independently verifiable against the original parameters.
Supply Chain Carbon Accounting — Scope 3 / CBAM
The EU Carbon Border Adjustment Mechanism requires reporting carbon footprints across complex supplier networks without exposing trade secrets. Upstream raw-material providers calculate energy use locally and output an OCG artifact containing only carbon values and a cryptographic fingerprint — no proprietary process data. Downstream manufacturers ingest those hashes to compute total corporate footprints, letting vendors mathematically prove compliance without revealing how their production works. The accounting model is correct; regulatory acceptance of hash-only attestation is still developing.
Defense & Aerospace — Autonomous Command & Control
Safeguarding unmanned systems and autonomous swarm logic from tactical manipulation is a matter of national security. Target classification and path-planning modules run as isolated OCG nodes; a drone's flight system refuses to execute a directive unless the upstream artifact passes structural and cryptographic verification. The in-toto envelope (ITE-6 compatible) actively defends against payload poisoning or adversarial data spoofing. The assurance bar here is high enough that real deployment involves formal verification requirements well beyond browser-native tooling.
Academic Publishing & Research Replication
The academic replication crisis is driven partly by researchers obscuring the exact statistical parameters used to reach a published result. Raw datasets and exact algorithm parameters are hard-coded into policy_parameters; the analysis engine executes the math client-side and outputs the findings. Peer reviewers can instantly check whether a study's conclusions are mathematically reproducible by running the same preimage through a web-native validator — without needing the original authors to cooperate.
EdTech — Professional Skills Lineage
Employer systems struggle to verify academic portfolios and workplace competency records. Individual project grades or certification scores are packaged as localized artifacts; a final degree functions as a high-chain_depth node summarizing every prerequisite module beneath it. Universities can render the verified artifact via the chaingraph_export:vc profile as a W3C Verifiable Credentials 2.0 credential, letting employers check skill competencies instantly and independently — no registrar call required. Live implementation: the ApexLogics.org careertech suite emits these credential and skills-lineage chains today across 146 deterministic tools — the EdTech concept here is shipped, not hypothetical.
InsurTech — Claims Lifecycle & Underwriting
Multi-party insurance claims adjustments lack a serverless, end-to-end audit trail. Police accident data, mechanic damage appraisals, and medical bills are each submitted as distinct input artifacts; an automated claims tool evaluates them and issues a payout verdict. The x-chaingraph capability lets artifacts chain across vendors — if a claimant alters a medical bill after submission, the final payout hash mismatches the input signatures immediately. The model is sound; regulatory acceptance and integration with insurer back-ends are the blockers.
PropTech — Real Estate Title & Escrow Flow
Property transfers suffer from opaque document repositories and fragmented email threads about title search approvals, lien releases, and escrow conditions. Municipal tax data, mortgage payoff confirmations, and inspection reports run as dependent pipeline steps; closing agents and buyers use the chaingraph.json DCAT 3.0 catalog to confirm every escrow hurdle has actually been met and verified — rather than trusting a status email from someone who has an interest in the deal closing.
Journalism & Media — Digital News Provenance
Combating deepfakes and algorithmic misinformation requires verifying media at the source. A digital camera hashes raw metadata at the moment of capture; a journalist's article cites that media asset's hash as a parent. Editorial systems and readers can trace a story's entire lineage back to the raw, authenticated capture artifact — a verifiable provenance chain for public information, not a watermark that can be cropped out. Aligns with C2PA standards already emerging in commercial cameras and image platforms.
Energy Grid & Carbon Markets
Renewable energy certificate (REC) markets are plagued by double-counting: the same MWh is sold as green power to multiple buyers across jurisdictions. Each generation event — a solar panel's metered output, a wind farm's production hour — becomes an OCG root node, with downstream RECs as child nodes carrying the generation hash in parent_hashes. If two certificates trace to the same root execution_hash, double-issuance is cryptographically detectable without a central registry. The meter-to-blockchain interface is the hardware dependency; the OCG audit layer is software-complete.
GovTech & Civic Infrastructure
Public procurement decisions — bid evaluation, vendor selection, contract award — are legally required to be transparent but routinely scrutinized for bias or corruption. Each evaluation step generates an OCG node: scoring criteria in policy_parameters, weighted scores in output_payload, committee identity in audit_signatures. Any citizen or investigative journalist can independently verify that the award decision was the deterministic output of the stated criteria — or identify where the chain was broken. The model is sound; government adoption timelines are long.
HR & Workforce Credentialing
Enterprise background-check processes are slow, expensive, and prone to resume fraud — and they rely on trusting third-party verification services that themselves cannot be independently verified. An OCG approach lets a candidate produce a chain from prior employer attestations, educational credentials, and certification bodies, each signed with Ed25519 and linked via parent_hashes. An employer's HR system can verify the chain client-side in seconds without contacting any of the issuing parties. Builds directly on the EdTech skills lineage concept above and the W3C VC 2.0 export profile.
Scientific & Research Infrastructure New cluster
Reproducibility is science's oldest integrity problem. OCG's deterministic execution model — identical inputs producing bit-for-bit identical outputs, captured in a hash-linked chain — is a natural fit for any domain where the methodology must be as verifiable as the result. The scientific community already uses containerization and open datasets; OCG adds the provenance linking layer that those tools lack.
Genomics & Variant Calling Pipelines New
A single whole-genome sequencing run passes through 10–15 bioinformatics pipeline steps before producing a clinical variant report — and the exact tool versions, reference genome build, quality filtering thresholds, and population frequency databases used at each step are typically captured only in a PDF methods section that no one reads. Encoding each pipeline step as an OCG node with tool version, reference database hash, and parameter set in policy_parameters produces a fully reproducible analysis chain. A clinician receiving a variant interpretation can trace it back to the raw FASTQ root and confirm the pipeline was the one claimed. dataVersion anchors the reference genome build at each step, since the same variant may be classified differently across genome builds. The computation is too large for client-side execution, making this a metadata-chain use case — but the provenance layer itself is structurally sound today.
Climate Model Reproducibility & Scenario Certification New
Climate scenario outputs underpin trillion-dollar investment decisions and national policy commitments — but the model configuration that produced a given projection is rarely captured with enough precision for independent replication. The parameterization of a climate run (forcing scenarios, grid resolution, parameterization schemes, initialization state) maps cleanly into policy_parameters; the output projections go into output_payload; the prior run it extends or branches from lives in parent_hashes. For downscaled regional projections, the chain traces back to the global model run it was derived from. Financial regulators applying TCFD / TNFD scenario analysis can verify that a bank's climate risk estimates derive from a specific, reproducible model run rather than an unconstrained internal estimate. The OCG layer here is metadata — actual climate simulation is server-side — but client-side validation of a declared configuration against a published run's hash is fully buildable today.
Drug Discovery & Synthesis Route Provenance New
Pharmaceutical R&D involves thousands of synthesis attempts before a viable candidate is identified. The exact reagent sources, reaction conditions, and analytical results at each step are captured in lab notebooks — increasingly electronic, but still largely siloed per researcher. An OCG chain from compound design through each synthesis attempt to biological assay result creates a verifiable discovery timeline that is invaluable for patent disputes (proving priority date of a finding), regulatory submissions (demonstrating the candidate's full development history), and scientific collaboration (enabling partners to build on verified intermediates rather than rediscovering them). The challenge is that synthesis conditions are commercially sensitive — the policy_parameters hash-without-reveal pattern is the right solution, but widespread adoption requires chemistry lab information management systems (LIMS) to support OCG export natively.
High-Energy Physics & Detector Dataset Certification New
Large hadron collider experiments produce petabytes of collision data that is processed through multiple reduction and reconstruction steps before physics analyses are performed. The CERN REANA platform already addresses workflow reproducibility, but it lacks a lightweight, portable provenance envelope that collaborating institutions outside CERN's infrastructure can verify independently. An OCG root artifact capturing the raw dataset hash, detector calibration state, and reconstruction software version — with downstream analysis artifacts as children — creates a chain that any physics collaboration member can validate against published paper results without running the full reconstruction pipeline. The SLSA attestation primitive links the software build used at each step to the OCG metadata chain. Exploratory because adoption requires collaboration-wide tooling integration, not because the OCG layer is structurally unsound.
Space Mission Telemetry & Command Audit New
Deep space missions involve command sequences uplinked to a spacecraft and telemetry downlinked back — and the integrity of that two-way channel is critical for mission safety and scientific validity. Each uplinked command bundle becomes an OCG node with the intended state transition in policy_parameters and the expected telemetry response in output_payload. Downlinked telemetry that confirms the state change closes the node's chain. Any discrepancy between the commanded state and the reported state is immediately visible as a broken execution_hash. Post-mission reconstruction of "what was commanded and what actually happened" — critical for anomaly investigation and future mission design — becomes a navigation exercise on the telemetry chain rather than a log-parsing exercise. Ground station federation and radiation-hardened onboard storage are the hardware dependencies.
Astrophysical Evidence Ledger & Measurement Provenance New
Competing measurements of the same astrophysical quantity routinely conflict — the IMBH mass at the centre of Omega Centauri sits between an ≥8,200 M☉ lower bound (Häberle 2024) and a ≤6,000 M☉ upper bound (Bañares 2025) that cannot be reconciled into a single number. Each measurement becomes an OCG node carrying its instrument, dataset, and method in policy_parameters and its result with uncertainty in output_payload; a Bayesian evidence aggregation links them via parent_hashes without collapsing the tension. The chain preserves how each estimate was derived, so a later reviewer can re-weight the evidence rather than inherit a flattened consensus. Live implementation: the OmegaCentauri.me evidence-ledger and kinematics tools emit these chains today.
Digital Identity & Trust Infrastructure New cluster
The identity space has a structural problem that OCG is well-positioned to address: verifiable credential systems require a trusted issuer, and that trust is centralised in the issuer's signing key. OCG's hash-chain model can supplement — and in some cases replace — issuer-trust with computation-trust: a credential is valid not because a trusted party signed it, but because its derivation from a verifiable computation chain can be independently checked. The chaingraph_export:vc profile is the bridge.
Decentralized Identity (DID / SSI) Credential Anchoring New
W3C Decentralized Identifiers and Self-Sovereign Identity frameworks (Hyperledger Aries, Veramo, Spruce) issue credentials that are cryptographically signed but whose verification still requires resolving a DID document from a registrar — reintroducing a trusted intermediary. Anchoring the credential issuance event as an OCG root node, with the credential's content hash and the issuer's Ed25519 public key in policy_parameters, lets a verifier check structural validity without a registry lookup. The chaingraph_export:vc profile produces output conformant with W3C VC 2.0 and includes the OCG chain as a linked-data proof extension. Zero-egress, client-side verification is the differentiator — a hospital verifying a patient's identity credential in an air-gapped clinical environment doesn't need an internet connection to the DID registry.
KYC / AML Verification Chain New
Know-your-customer processes are expensive, repetitive, and fragmented — a customer re-verified at a bank cannot reuse that verification at a brokerage, even when both institutions use the same identity document and the same FATF-compliant process. An OCG chain from document capture through liveness check to sanctions screening to risk classification creates a portable, tamper-evident KYC record. The chain does not carry the underlying PII — it carries the hash of the verified attributes and the verification methodology. A downstream financial institution can confirm the chain's structural integrity and accept the outcome without re-performing the checks, provided it trusts the issuing institution's OCG profile. compliance_flags carry the FATF, EDD, and jurisdiction-specific status. Connects to AINumbers Cat-03 (Fraud & Risk) tools already in the pipeline.
Credential Revocation & Suspension Auditability New
Credential revocation in existing PKI and VC systems is centralised — the issuer maintains a revocation list, and verifiers must query it. If the issuer's revocation infrastructure is unavailable or compromised, revocation becomes unverifiable. An OCG chain from credential issuance through each status change (active → suspended → revoked, or reinstated) with the authorizing party and rationale in policy_parameters makes the credential's full lifecycle auditable and independently verifiable without querying the issuer. The revocation event's execution_hash becomes a reference that downstream consumers can include in their own artifacts, proving they verified status at a specific moment. Directly relevant to professional license revocations (medical boards, bar associations, financial regulators) where the integrity of the revocation record is itself a compliance requirement.
Cross-Border eID Interoperability New
The EU eIDAS 2.0 regulation mandates a European Digital Identity Wallet by 2026, and similar frameworks are developing in the UK, Singapore, and the US. Each national system uses different credential formats, trust registries, and verification protocols — making cross-border use cases (a French citizen opening a bank account in Germany, a Singaporean registering a business in the UK) dependent on bilateral treaty negotiations or complex technical bridges. An OCG layer between national wallet systems could allow a credential verified under French law to produce a chain artifact whose structural properties are recognisable to a German verifier, without requiring the German system to understand French eIDAS implementation details. chaingraph_export:jsonld produces linked-data output that existing eIDAS EBSI infrastructure can ingest. The barrier is political and legal acceptance, not technical feasibility.
Consumer Data Rights & Portability Provenance New
GDPR Article 20, CCPA, and the EU Data Act all grant consumers rights to receive their data in portable, machine-readable form — but there is no standard for proving that the exported data is complete and unaltered. An OCG artifact wrapping a data portability export carries the hash of the exported dataset in output_payload, the date-range and scope parameters in policy_parameters, and the data controller's identity in audit_signatures. A consumer filing a regulatory complaint can prove that the export they received differs from what was later disclosed to a regulator. A competing service receiving a ported dataset can verify its completeness against the original artifact without contacting the original controller. The chain becomes the receipt of the data transfer, not just the transfer itself. Client-side hash validation of the received data against the artifact is fully buildable today; the controller-side tooling to generate the artifacts is the integration work.
Software & Cybersecurity Supply Chain New cluster
The same provenance move that audits a payment or a genome audits a software build. The EU Cyber Resilience Act makes this regulatory rather than aspirational: vulnerability reporting obligations begin 11 September 2026 and SBOM obligations 11 December 2027, with fines to €15M or 2.5% of turnover. OCG is a natural fit — and the AINumbers MCP-security tool set already implements the verification primitives.
SBOM Dependency Provenance Chain New
A Software Bill of Materials lists a product's components, but a static SBOM file proves nothing about how it was assembled or when a vulnerability became known. Each build's SBOM becomes an OCG node: component hashes and top-level dependencies in policy_parameters, the resolved dependency tree in output_payload, and the prior release's SBOM hash in parent_hashes. The result is a tamper-evident lineage of exactly what shipped in every version — the artifact a market-surveillance authority can request under CRA Article-level technical documentation requirements, verifiable without trusting the vendor's build system. The CRA mandates only a machine-readable SBOM; OCG adds the cross-version chain the regulation doesn't specify.
VEX Vulnerability Disclosure Timeline New
The CRA's reporting clock is strict — a 24-hour early warning, a 72-hour full notification, and a 14-day final report once a patch exists for an actively exploited vulnerability. Each disclosure state (under-investigation → affected → fixed → not-affected, the VEX status enum) becomes an OCG node with the timestamp and authorizing party in policy_parameters and the assessment in output_payload. The chain is a tamper-evident proof that each deadline was met at the moment claimed — turning "we reported on time" from an assertion into a verifiable record. Misdating a disclosure to appear compliant becomes cryptographically detectable.
MCP Server Attestation Chain New
Agentic systems call MCP tool servers they cannot independently verify — the exact vulnerability class (prompt injection, tool poisoning, DNS rebinding) the AINumbers MCP-security suite already scans for. Binding a server's attestation into an OCG node — its tool-definition hash, OAuth posture, and transport configuration in policy_parameters, the security verdict in output_payload — lets an orchestrating agent confirm a server's integrity before tools/call, extending the Multi-Agent Orchestration Integrity concept (c4-3) from data to infrastructure. Links directly to Tool 282 (Tool-Poisoning Scanner), Tool 278 (OAuth Auditor), and Tool 284 (Transport / DNS-Rebinding Auditor).
CI/CD Build Provenance & Release Integrity New
SLSA attestations capture that a build happened in a trusted environment, but they don't link the build to the source review, the test run, and the release approval that preceded it. An OCG chain from signed commit → reviewed pull request → CI test artifact → SLSA build attestation → published release creates an end-to-end provenance trail. A downstream consumer verifying a release can walk parent_hashes back to confirm the artifact derives from a reviewed, tested source — not an injected build step. The SLSA attestation primitive links the build artifact into the chain; audit_signatures carry the approver identity. This is the software analogue of the Treasury Decision Memo Chain (c6-6): the chain is the governance log.
Document Integrity & Timestamp Anchor New
Factom pioneered anchoring document hashes to prove a record existed, unaltered, at a point in time — but it needed a blockchain to do it. OCG does it client-side: a document's SHA-256 plus a claimed timestamp bind into an execution_hash that is itself an eIDAS Article 41 / RFC 3161-aligned electronic timestamp — legally admissible, self-verifiable by anyone with the spec, no trusted timestamping authority round-trip. The verifier (art-122) recomputes the anchor and confirms the document hash and timestamp match. This is the horizontal primitive beneath legal (c7-2), journalism source chains (c3-5), academic replication (c7-5), and consumer data rights (c9-5). Live chain: document-integrity-anchor (art-121 → art-122); exports a W3C Verifiable Credential via chaingraph_export:vc.
Trade, Customs & Logistics New cluster
UNCITRAL's MLETR makes "control" the digital equivalent of "possession" — exactly the single-holder lineage parent_hashes enforce. The legal foundation is live (UK ETDA 2023, India Bills of Lading Bill 2025) but only 3–5% of trade documents are digitized, and interoperability across carrier, bank, and customs platforms is the open problem x-chaingraph targets. Several concepts here connect to live AINumbers trade tools.
Electronic Bill of Lading Title-Transfer Chain New
Under MLETR, an electronic bill of lading must use a reliable system guaranteeing exclusive control — only one party may hold the document at any moment. That is a single-holder lineage: each endorsement becomes an OCG node whose parent_hashes point to the prior holder's artifact, making double-spending of title cryptographically impossible. A port authority in Rotterdam can verify a bill issued by a carrier platform in Shanghai without trusting that platform — the chain's structural integrity is the proof, not a bilateral system bridge. Links to the live MCP tool validate_mletr_record for record-level conformance checking.
Customs Declaration Lineage New
A customs entry is the leaf of a document family — commercial invoice, packing list, certificate of origin, bill of lading — each of which a broker currently cross-references by hand. Treating each document as an OCG node with the next document's parent_hashes pointing back produces a verifiable lineage from declared value to underlying evidence. A customs authority auditing a declaration can confirm the entry derives from an unaltered document set; a sanctions or origin discrepancy surfaces as a broken execution_hash rather than a manual finding. Links to the live MCP tool verify_trade_document_set and Tool 426 (Trade Sanctions Compliance Checker).
E-Invoice Clearance Chain (ViDA) New
The EU's VAT in the Digital Age (ViDA) reform makes structured e-invoicing and near-real-time digital reporting mandatory across member states. Each clearance step — issuance, tax-authority validation, buyer acceptance — becomes an OCG node, with the invoice content hash in output_payload and the clearance status in compliance_flags. The chain is a tamper-evident record that an invoice was cleared, when, and against which ruleset — reusable across the supplier, buyer, and tax authority without a shared central ledger. Links to Tool 180 (B2B E-Invoice Compliance Scorer) and Tool 178 (Invoice-to-ISO 20022 Bridge); the live MCP tool validate_einvoice_batch handles batch conformance.
Letter of Credit Document Set Provenance New
A documentary letter of credit pays against a set of compliant documents — and discrepancy disputes are the single largest source of trade-finance friction. Each presented document becomes an OCG node bound to the LC's terms in policy_parameters; the bank's examination outcome lands in output_payload with each discrepancy flagged. The result is a verifiable record of what was presented and how it was examined, exportable via chaingraph_export:pdf for the dispute file. Links to Tool 50 (Trade Finance LC Analyser), Tool 420 (MT700 Field Validator), and Tool 422 (Incoterms 2020 Risk Mapper).
Physical Supply-Chain & Goods Provenance New cluster
The classic blockchain-provenance use cases — pharma, food, luxury, anti-counterfeit — were real demand attached to the wrong substrate (permissioned consortia, tokens). The live standard is GS1 EPCIS 2.0 (Critical Tracking Events) carried on GS1 Digital Link 2D barcodes (Sunrise 2027). OCG slots in as the verifiable, zero-egress layer under EPCIS: each tracking event becomes a node, and anyone can re-derive custody without a shared ledger. Three of these chains are live in the AINumbers suite.
Pharma Serialization & Saleable-Returns Custody New
The MediLedger consortium built a permissioned blockchain for exactly this — but US DSCSA enforcement is now live (wholesaler serialization + saleable-returns verification since August 2025), and the requirement is verifiable custody, not a shared chain. Each unit's DSCSA T3 set (Transaction Information, History, Statement) plus its GS1 SGTIN and EPCIS event becomes an OCG node; a saleable return that cannot match its original transaction hash is refused; a suspect unit triggers quarantine and the 72-hour FDA Form 3911 path — each step a tamper-evident artifact. Live chain: pharma-serialization-custody (art-112 → art-113 → art-114). EU FMD applies the same shape across 26 markets.
Food Traceability & 24-Hour Recall (FSMA 204) New
IBM Food Trust + Walmart made farm-to-shelf traceability the canonical blockchain-provenance demo — but FDA FSMA 204 just requires the Key Data Elements for each Critical Tracking Event and a 24-hour electronic sortable spreadsheet, no chain. Each CTE (harvesting → cooling → packing → shipping → receiving, plus transformation events that mint a new Traceability Lot Code) becomes an OCG node; a contamination event resolves one-up/one-back to affected recipients and sources in seconds. Live chain: food-traceability-fsma204 (art-118 → art-119 → art-120). Enforcement July 2028 — build window now.
Luxury Goods & Digital Product Passport New
Everledger (diamonds), the Aura Consortium (LVMH/Prada/Richemont), and Provenance.org all chased luxury authenticity + ethical-sourcing claims. The EU's Digital Product Passport makes it regulatory: the Central DPP Registry goes live 19 July 2026, batteries February 2027, textiles ~2027. An OCG chain validates the DPP data carrier against the CIRPASS-2 Core Ontology (art-115), builds a cradle-to-gate hash-only supplier lineage (art-116), and verifies consumer-facing authenticity + resale ownership continuity (art-117) — exposed via a GS1 Digital Link QR. Live chain: digital-product-passport-lineage. Extends the Fashion & Material Design Lineage concept (c1-6) to a regulated, multi-sector passport.
Anti-Counterfeit Consumer Verification New
VeChain's core narrative was consumer-facing QR/NFC anti-counterfeit. The GS1 Sunrise 2027 transition from 1D UPC to 2D barcodes makes this mainstream: a 2D barcode powered by GS1 Digital Link carries the item's unique identity, batch, and a lookup to its provenance. An OCG layer lets a shopper's phone verify that the scanned item's claimed lineage hashes chain back to an authentic root — no app, no token, no central authenticity database. This composes directly with the Digital Product Passport chain (c12-3) rather than standing alone, which is why it is a verification surface rather than a separate build today.
Multi-Party Supply-Chain Interoperability New
OriginTrail's durable idea was provenance data shared across many actors without forcing everyone into one database — a decentralized knowledge graph. That is precisely what the OCG x-chaingraph cross-vendor capability provides on top of EPCIS 2.0's standardized event vocabulary: each party emits its own hash-anchored artifacts, and a downstream verifier stitches them into one custody graph by matching parent_hashes, with no shared infrastructure and no party able to silently rewrite another's events. This is the connective tissue beneath the pharma, food, and luxury chains above — an architecture property of the standard, not a single product.
Machine, AI & Software Integrity New cluster
Content provenance moved from voluntary to regulatory: the EU AI Act's Article 50 machine-readable marking obligation applies 2 August 2026, and the Commission's Code of Practice names C2PA Content Credentials as the mechanism. C2PA's own limitation — full validation needs trust-list and revocation lookups over the network, and metadata can be stripped — is OCG's opening: verify the cryptographic and structural facts an agent already holds, with the trust posture supplied as policy, zero network, no human. First of a three-wave machine-integrity cluster (C2PA → Web Bot Auth → EU CRA SBOM).
C2PA Content Credential Verification New
The Content Authenticity Initiative (Adobe, Microsoft, the camera makers) built C2PA to prove where media came from — but verifying a credential normally means fetching trust lists and OCSP/CRL revocation over the network, which an autonomous agent can't always do. An OCG chain validates the decoded C2PA manifest structure (art-123), verifies the COSE/Ed25519/ECDSA claim signature in-browser against a caller-supplied trust posture with zero egress (art-124), and walks the ingredient provenance tree to confirm it chains back (art-125) — emitting a tamper-evident verdict bound into an execution_hash the agent can carry downstream. Live chain: content-credential-verification (art-123 → art-124 → art-125).
AI Content Disclosure (EU AI Act Art. 50) New
From 2 August 2026, providers of generative AI must mark output machine-readable as artificially generated (Art. 50(2)), deployers of deepfakes must disclose (Art. 50(4)), and the Commission's Code of Practice requires a multi-layer approach — C2PA signed metadata and an imperceptible watermark (SynthID and equivalents) together. An OCG chain checks the IPTC digitalSourceType marking for Art. 50 adequacy (art-126), verifies both disclosure layers are present (art-127), and validates that the content binding is hard (tamper-evident) rather than soft-only (art-128). Live chain: ai-content-disclosure-conformance. Penalty for non-compliance: €15M or 3% of global turnover.
Deepfake Consumer Verification New
The consumer-facing surface of Art. 50: a viewer's device confirms that a presented image or video carries a valid, signed AI-disclosure credential whose hard binding still matches the asset bytes — no app, no central authenticity database, no network round-trip to a trust authority. This composes directly with the C2PA verification chain (c13-1) and the disclosure-conformance chain (c13-2) rather than standing alone, which is why it is a verification surface rather than a separate build today.
Cross-Vendor Provenance Interoperability New
A piece of media accumulates credentials from many tools — a camera, an editor, a generative model, a platform. C2PA's ingredient tree records that lineage; the OCG x-chaingraph cross-vendor capability lets a downstream verifier stitch each party's hash-anchored verification artifacts into one provenance graph by matching parent_hashes, with no shared infrastructure and no party able to silently rewrite another's claims. This is the connective tissue beneath the verification and disclosure chains above — an architecture property of the standard, not a single product.
Agent Identity Verification (RFC 9421 Web Bot Auth) New
Automated agents issuing HTTP requests need a machine-verifiable identity layer that zero-trusts even the network: the IETF Web Bot Auth working group's answer is an Ed25519 key pair, a JWKS published at /.well-known/http-message-signatures-directory, and an RFC 9421 signature over a canonical signature base composed of covered HTTP components. The three-step OCG chain (art-129→130→131) reconstructs that base locally, verifies the signature via crypto.subtle, validates the JWKS directory, and checks the Signature Agent Card — all zero-network, all caller-supplied inputs, no credential transmitted. Visa TAP and Mastercard Agent Pay both mandate compatible Ed25519 + JWKS semantics, making this the shared identity substrate for agentic payment rails. Live in Wave 24.
Agent Identity Publishing Readiness (Visa TAP / Mastercard Agent Pay) New
The supply side of the Ed25519 identity substrate: before an agent can present a verifiable identity to a payment rail or a counterpart agent, it must publish a valid JWKS directory, maintain a current Signature Agent Card, and stage key rotations ahead of rail-mandated age limits. The three-step OCG chain (art-132→133→134) audits key rotation posture and algorithm compliance, crosswalks the posture against Visa TAP, Mastercard Agent Pay, and Web Bot Auth acceptance criteria simultaneously, and emits a go/no-go publish-readiness verdict with a precise gap list. The crosswalk step is designed so a single run flags every rail a candidate agent fails, rather than requiring three separate assessments. Live in Wave 24.
SBOM Provenance Attestation (EU CRA / SLSA / OpenVEX) New
Three-step OCG chain (art-135→136→137) that validates a CycloneDX SBOM against the EU CRA Annex I machine-readable SBOM requirement (specVersion 1.4–1.6, all components carry purl, top-level dependencies present), then verifies the SLSA provenance in-toto statement (subject SHA-256 digest match, builder.id from runDetails or predicate, claimed build level 0–3), then validates the OpenVEX vulnerability disclosure (every statement carries vulnerability+products+status, not_affected entries include justification). The three nodes are designed to hand off naturally — an SBOM that passes art-135 is the right substrate for the provenance and disclosure checks downstream. Full supply-chain attestation pipeline, zero network, server-kernel compute. Live in Wave 25.
CRA Product Conformance (Annex I + Art. 14) New
Three-step OCG chain (art-138→139→140) that validates an SPDX 2.x/3.x SBOM against EU CRA Annex I (spdxVersion pattern, SPDXID, packages carry versionInfo and downloadLocation or purl externalRef, relationships non-empty), then checks Annex I Part I essential requirements completeness (SBOM present and machine-readable, top-level deps covered, vulnerability handling policy, secure-by-default, conformity route: self_assessment | eu_type_examination | full_quality_assurance), then assesses Article 14 vulnerability reporting readiness (actively-exploited detection, 24-hour early warning, 72-hour CSIRT/ENISA notification, coordinated disclosure policy). The Art. 14 obligation date is 11 September 2026 — six weeks from build. Penalty: up to €15M or 2.5% global turnover. art-139 and art-140 both export PDF compliance reports. Live in Wave 25.
Cyber Resilience & Critical Infrastructure New cluster
NIS2 Directive 2022/2555 became active October 2024, applying to ~160,000 entities across energy, transport, health, banking, digital infrastructure, and public administration — with personal liability for management bodies (Art. 20) and penalties up to €10M or 2% of global annual turnover for essential entities. Two OCG chains cover the full compliance workflow: entity classification through penalty exposure (chain 1) and incident reporting through governance attestation (chain 2), all zero-egress and agent-callable with no human in the loop. First enforcement wave expected 2026.
NIS2 Entity Scope & Obligations New
The NIS2 Directive (EU 2022/2555) — active October 2024 — applies to ~160,000 entities across energy, transport, health, digital infrastructure, financial markets, and more, with penalties up to €10M or 2% of global annual turnover (essential) or €7M / 1.4% (important). An OCG chain classifies an entity as Essential or Important using Annex I/II sector codes, size thresholds, and automatic carve-outs for DNS providers, trust service providers, and public telecoms (art-141), checks all ten Article 21 cybersecurity risk-management measures for presence and tested maturity with a 0–100 compliance score and grade A–F (art-142), and calculates maximum penalty exposure with mitigating-factor adjustment (art-143) — board-ready output bound into an execution_hash exportable as PDF. Live chain: nis2-entity-scope-and-obligations.
NIS2 Incident Reporting & Supply-Chain Readiness New
NIS2 Article 23 fires a 24-hour early-warning / 72-hour notification / 30-day final-report cascade when an incident is "significant" — but no single regulation quantifies the threshold. An OCG chain scores an event against ENISA-aligned criteria (service disruption, user impact, financial loss, third-party cascade, malicious act, cross-border reach) and emits the applicable clocks and CSIRT recipients (art-144), then scores ICT vendor due-diligence posture against the Article 21(2)(d) supply-chain requirement and ENISA Good Practices framework — ISO 27001 certification, incident history, audit clauses, breach-notification SLA, data residency, sub-contractor mapping, availability SLA (art-145), and checks Article 20 management-body readiness including board approval of controls, training coverage, and personal-liability-risk flag with optional §16 Ed25519 governance attestation (art-146). Live chain: nis2-incident-and-supply-chain-readiness.
Regulatory Trade & Transaction Reporting New cluster
EMIR Refit (EU 2019/834, delegated rules effective 29 April 2024) turned derivatives reporting into a strict ISO 20022 validation problem — 203 required fields, 10:00 T+1 UTI sharing, 148 reconciliation fields, and an action-type state machine enforced at the Trade Repository before acceptance. Two OCG chains cover the full workflow: pre-submission field validation through reconciliation (chain 1) and UTI pairing, lifecycle state-machine, and firm-level readiness grading (chain 2) — all zero-egress and agent-callable. ViDA / DRR join later as Wave 29.
EMIR Trade Report Validation New
EMIR Refit made derivatives reporting a strict ISO 20022 validation problem — 203 required fields, 10:00 T+1 UTI sharing, 148 reconciliation fields by 2026. Validates and reconciles a report client-side before the Trade Repository rejects it. Zero egress, agent-callable. Live chain: emir-trade-report-validation (art-153 → art-154 → art-155).
EMIR Reconciliation & Lifecycle New
Pair two counterparties' reports by UTI and reconcile up to 148 matching fields within tolerance, catching breaks before submission. Validate action-type state transitions and grade firm-level reporting readiness A–F across five dimensions. Agent-callable, zero egress. Live chain: emir-reconciliation-and-lifecycle (art-156 → art-157 → art-158).
The throughline
Across all fifteen clusters, the same move repeats: stop treating a verified chain as a proof of ownership and start treating it as a proof of provenance — how a piece of art, a game run, a story, an agent's decision, a payment routing choice, a climate scenario, a genome analysis, an identity credential, a software build, a trade document, or a regulatory filing actually came to exist. That reframing is what makes the same primitive (execution_hash + parent_hashes + policy_parameters) stretch from generative art seeds to SBOM dependency chains to letter-of-credit provenance to cross-border eID interoperability without changing the underlying spec at all.
The Payments & Financial Infrastructure cluster (⑥) is the one that directly closes the loop with the live AINumbers toolchain — most concepts in that cluster connect to tools already deployed, making OCG not just a conceptual layer but a native export and audit format for financial decisions being made in the browser today. The Software & Cyber Supply Chain (⑩) and Trade, Customs & Logistics (⑪) clusters extend the moat into EU CRA compliance and digitized trade finance — both backed by live AINumbers tools and MCP verification primitives already in production.
OpenChainGraph is arguably more interesting as a reproducible-history engine than as a scarcity mechanism — the chain isn't valuable because it's rare, it's valuable because anyone can independently re-derive how it got there. In payments, identity, and science, that distinction between "who owns this" and "how did this come to exist" is exactly the one regulators, auditors, and peers care about. That the same spec serves all three is not a coincidence; it's a structural property of deterministic computation.