fix(citations): correct EU AI Act anchors for verification carve-out#70
Merged
Amosk21 merged 1 commit intoMay 15, 2026
Conversation
Two regulatory citation defects across 6 tracked files (11 specific text
edits). No schema, axiom, class, or property changes. Pipeline behavior
byte-identical: ALL CHECKS PASSED, exit 0.
Defect 1 (Recital 22 miscitation, 7 locations):
Recital 22 of Regulation (EU) 2024/1689 governs extraterritorial scope
(third-country operators), not the biometric verification carve-out. The
correct anchor chain is Recital 15 (definition + carve-out), Recital 17
(RBI-specific carve-out + rationale), and Annex III item 1(a) operative
clause. Fixed in:
- 03_TECHNICAL_CORE/ontology/ARCO_instances_verification.ttl (lines
18, 27): kiosk fixture rdfs:comment surfaced via
select_system_comment.sparql into the negative-case certificate
panel
- 03_TECHNICAL_CORE/scripts/run_pipeline.py (lines 445, 1243):
docstring + inline comment describing the design pattern
- 03_TECHNICAL_CORE/reasoning/select_system_comment.sparql (line 6):
SPARQL header comment
- docs/MODELING_ROADMAP.md (line 15): public-facing modeling narrative
Defect 2 (Article 3(36) "intended to be used" misattribution, 4
locations in tracked files):
Article 3(36) is the technical 1:1 verification definition; it does not
contain the phrase "intended to be used." That framing appears verbatim
in Recital 15, Recital 17, and Annex III item 1(a). Fixed in:
- docs/MODELING_ROADMAP.md (line 68)
- docs/kiosk_demo_v1/kiosk_demo.md (lines 65, 172)
- LIMITATIONS.md (line 114)
Defect 3 (Article 3(43) paraphrase fidelity, 1 location):
Article 3(43) verbatim uses "system" (BFO Bucket 1) where ARCO's
:PostRemoteBiometricIdentificationProcess class uses "process" (BFO
Bucket 4). Light fix in LIMITATIONS.md:141 adds the verbatim regulatory
text and explicitly flags the "process" framing as ARCO's modeling
translation. The corresponding TTL skos:definition at
ARCO_governance_extension.ttl:336 deliberately not modified: the
existing rdfs:comment already discloses the unused-stub status and
regulatory paraphrase context, so adding a redundant flag in the
definition would violate Adequatism.
Verification:
- python 03_TECHNICAL_CORE/scripts/run_pipeline.py returns ALL CHECKS
PASSED, exit 0
- grep "Recital 22" across the technical core returns zero hits
- grep 'Article 3(36).{0,40}intended to be used' returns zero hits
- All 14 fixes verified by per-fix backtest agents (deploy + verify
pattern)
Deferred:
- Class-naming question (:PostRBI Process vs :PostRBI System for BFO
Bucket 4 vs Bucket 1) tracked separately
- /intake of the EU AI Act source into KB pending separate
authorization
- Output structure work (executive summary restructure, row-level
audit-table interpretations, RAG colors, audit-trail anchor) is the
separate next milestone
Revert: each fix is a localized text edit in an annotation property,
code comment, or prose paragraph. No cascading effects expected.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
6 tasks
Amosk21
added a commit
that referenced
this pull request
May 21, 2026
* fix(citations): correct EU AI Act anchors for verification carve-out (#70) Two regulatory citation defects across 6 tracked files (11 specific text edits). No schema, axiom, class, or property changes. Pipeline behavior byte-identical: ALL CHECKS PASSED, exit 0. Defect 1 (Recital 22 miscitation, 7 locations): Recital 22 of Regulation (EU) 2024/1689 governs extraterritorial scope (third-country operators), not the biometric verification carve-out. The correct anchor chain is Recital 15 (definition + carve-out), Recital 17 (RBI-specific carve-out + rationale), and Annex III item 1(a) operative clause. Fixed in: - 03_TECHNICAL_CORE/ontology/ARCO_instances_verification.ttl (lines 18, 27): kiosk fixture rdfs:comment surfaced via select_system_comment.sparql into the negative-case certificate panel - 03_TECHNICAL_CORE/scripts/run_pipeline.py (lines 445, 1243): docstring + inline comment describing the design pattern - 03_TECHNICAL_CORE/reasoning/select_system_comment.sparql (line 6): SPARQL header comment - docs/MODELING_ROADMAP.md (line 15): public-facing modeling narrative Defect 2 (Article 3(36) "intended to be used" misattribution, 4 locations in tracked files): Article 3(36) is the technical 1:1 verification definition; it does not contain the phrase "intended to be used." That framing appears verbatim in Recital 15, Recital 17, and Annex III item 1(a). Fixed in: - docs/MODELING_ROADMAP.md (line 68) - docs/kiosk_demo_v1/kiosk_demo.md (lines 65, 172) - LIMITATIONS.md (line 114) Defect 3 (Article 3(43) paraphrase fidelity, 1 location): Article 3(43) verbatim uses "system" (BFO Bucket 1) where ARCO's :PostRemoteBiometricIdentificationProcess class uses "process" (BFO Bucket 4). Light fix in LIMITATIONS.md:141 adds the verbatim regulatory text and explicitly flags the "process" framing as ARCO's modeling translation. The corresponding TTL skos:definition at ARCO_governance_extension.ttl:336 deliberately not modified: the existing rdfs:comment already discloses the unused-stub status and regulatory paraphrase context, so adding a redundant flag in the definition would violate Adequatism. Verification: - python 03_TECHNICAL_CORE/scripts/run_pipeline.py returns ALL CHECKS PASSED, exit 0 - grep "Recital 22" across the technical core returns zero hits - grep 'Article 3(36).{0,40}intended to be used' returns zero hits - All 14 fixes verified by per-fix backtest agents (deploy + verify pattern) Deferred: - Class-naming question (:PostRBI Process vs :PostRBI System for BFO Bucket 4 vs Bucket 1) tracked separately - /intake of the EU AI Act source into KB pending separate authorization - Output structure work (executive summary restructure, row-level audit-table interpretations, RAG colors, audit-trail anchor) is the separate next milestone Revert: each fix is a localized text edit in an annotation property, code comment, or prose paragraph. No cascading effects expected. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(output): separate scope metadata from graph-backed entailment Article 6(3) derogation scope qualifier no longer concatenated into `VERIFIED (ENTAILED)` literals (certificate text, summary print, summary.json, HTML badge, cert_lines builder). Scope surfaces as a separate field everywhere it appeared: - `derogation_evaluation_scope` object in summary.json - separate `ARTICLE 6(3) DEROGATION: NOT EVALUATED (run scope)` line in certificate.txt - pre-existing `derogation_scope_badge` HTML node now the canonical HTML disclosure surface Gate 3 display now requires the USS to designate `:NaturalPersonRole` (not just USS existence). Shared `gate3_designates_expected_role` helper applied to both HTML view and determination packet status, closing the display-weaker-than-OWL-axiom gap. `test_output_provenance.py` forbidden-pattern check passes 0/0. README and LIMITATIONS updated to remove stale "failing-by-design" language and "LIVE" markers on the now-closed Gate 3 and Article 6(3) defects. Closes OPEN_PROBLEMS L3.4 (Gate 3 truth-surface) and the Article 6(3) mixed-provenance forbidden-pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(adversarial): add 5(b) equivalentClass decoy parity New fixture `ARCO_instances_adversarial_decoy_5b.ttl` declares `:WeirdCalculator owl:equivalentClass :CreditworthinessEvaluationCapability`, types `:WeirdCalc_Disposition` only as the alias class, and asserts the three-gate participants (IUS prescribing a `:CreditworthinessEvaluationProcess` token, USS designating `:NaturalPersonRole`). Adversarial-purity discipline matches the 1(a) decoy: no provider organisation, no assessment documentation, no obligation, no determination ICE — only what the gate axiom needs to fire. New `test_credit_decoy_classifies_via_equivalent_class` in `test_adversarial_mechanism.py` verifies five assertions: 1. pre-reasoning disposition typed as alias only 2. pre-reasoning disposition NOT typed as :CreditworthinessEvaluationCapability 3. post-reasoning disposition IS typed as :CreditworthinessEvaluationCapability 4. post-reasoning system entails :AnnexIII5bApplicableSystem 5. post-reasoning system does NOT entail :AnnexIII1aApplicableSystem (cross-category isolation preserved) Alias path's IRIs and labels avoid Credit / Score / Assessment / Evaluation / 5b vocabulary so a grep/label-matching reader sees no regulated-class hint in the disposition, module, or system names. The `rdfs:comment` on the alias class necessarily names :CreditworthinessEvaluationCapability (that is what `owl:equivalentClass` documents). README and LIMITATIONS adversarial-coverage descriptions updated to reflect two equivalentClass decoys (1(a) + 5(b)) plus the blank-node ghost. Closes OPEN_PROBLEMS L3.7 (5(b) adversarial equivalentClass parity). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(readme): tighten adversarial-coverage claim "the regulated class IRI never appears in the input data" is not literally true — the regulated class IRI does appear in the `owl:equivalentClass` declaration on the alias class. The safer claim is that the regulated class is not asserted as the disposition's type. The equivalentClass declaration is class-level, not instance-level, so the reasoner reaches the disposition's classification via class-equivalence propagation, not via direct type assertion. That distinction is what the test exercises. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(hermit): add 5(b) adversarial decoy to cross-reasoner matrix Adds `ARCO_instances_adversarial_decoy_5b.ttl` (system `:WeirdCalcSystem_001`) to the HermiT-vs-OWL-RL cross-check matrix so the new 5(b) equivalentClass decoy is verified under both reasoners before merge, matching the 1(a) decoy's existing coverage. The fixture uses named individuals only (no blank-node disposition) so it does not hit the GhostSystem exclusion path documented in hermit_cross_check.py's module docstring. Three loci touched: - 03_TECHNICAL_CORE/scripts/hermit_cross_check.py: CERTIFICATE_GRADE_SCENARIOS - .github/workflows/robot-validate.yml: matrix strategy fixture list - LIMITATIONS.md §7.4: HermiT cross-check inventory prose Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two regulatory citation defects across 6 tracked files (11 specific text edits). No schema, axiom, class, or property changes. Pipeline behavior byte-identical:
ALL CHECKS PASSED, exit 0.Stacked on top of PR #69 (
chore/regulatory-conditions-to-governance); will retarget tomainonce #69 merges.Defect 1: Recital 22 miscitation (7 locations)
Recital 22 of Regulation (EU) 2024/1689 governs extraterritorial scope (third-country operators), not the biometric verification carve-out. Correct anchor chain is Recital 15 (definition + carve-out), Recital 17 (RBI-specific carve-out + rationale), and Annex III item 1(a) operative clause.
Fixed in:
03_TECHNICAL_CORE/ontology/ARCO_instances_verification.ttllines 18, 27 (kiosk fixture rdfs:comment surfaced viaselect_system_comment.sparqlinto negative-case certificate panel)03_TECHNICAL_CORE/scripts/run_pipeline.pylines 445, 1243 (docstring + inline comment)03_TECHNICAL_CORE/reasoning/select_system_comment.sparqlline 6 (SPARQL header comment)docs/MODELING_ROADMAP.mdline 15 (public-facing modeling narrative)Defect 2: Article 3(36) misattribution (4 locations in tracked files)
Article 3(36) is the technical 1:1 verification definition; it does not contain the phrase "intended to be used." That framing appears verbatim in Recital 15, Recital 17, and Annex III item 1(a). Article 3(36) is now correctly cited only for the 1:1 modality definition.
Fixed in:
docs/MODELING_ROADMAP.mdline 68docs/kiosk_demo_v1/kiosk_demo.mdlines 65, 172LIMITATIONS.mdline 114Defect 3: Article 3(43) paraphrase fidelity (1 location)
Article 3(43) verbatim uses "system" (BFO Bucket 1) where ARCO's
:PostRemoteBiometricIdentificationProcessclass uses "process" (BFO Bucket 4). Light fix inLIMITATIONS.md:141adds verbatim regulatory text and explicitly flags the "process" framing as ARCO's modeling translation.Schema / Axiom paths
No schema, axiom, class, or property changes. All edits are to:
rdfs:commentannotation properties on instance fixturesThe kiosk fixture's
rdfs:comment(now corrected) flows into the negative-case certificate panel viaselect_system_comment.sparql. That is the only output text change visible to consumers.Tests
python 03_TECHNICAL_CORE/scripts/run_pipeline.pyreturnsALL CHECKS PASSED, exit 003_TECHNICAL_CORE/scripts/test_*.pyunaffected (no assertions on annotation-property text)Recital 22andArticle 3(36).{0,40}intended to be usedpatterns now appear only inside the local plan document (gitignored), not in the tracked technical coreDeferred
:PostRemoteBiometricIdentificationProcessskos:definitionatARCO_governance_extension.ttl:336deliberately not modified. The class'srdfs:commentalready discloses unused-stub status and the regulatory paraphrase context. The class-naming question (Process vs System for BFO Bucket 4 vs Bucket 1 modeling) tracked separately/intakeof EU AI Act source into KB pending separate authorizationRevert
Each fix is a localized text edit in an annotation property, code comment, or prose paragraph. To roll back: `git revert 76c8cf7`. No cascading effects expected.
🤖 Generated with Claude Code