Skip to main content
A screening verdict on its own — ALLOW, REFER, DENY — does not record which payer it was about (without exposing personal data) or under which policy it was made. If the issuer quietly rotates its ruleset, an old verdict gives no signal that the rules changed underneath it. Compliance Gate (lite) closes that gap. You bring a categorical verdict from your own sanctions / PEP / AML provider; the package binds it to a no-PII payer reference and a pinned subject reference (a policy_bound_ref, a settlement-action binding_ref, or a retention_chain_ref) into a deterministic, recomputable gate_ref. Because the verdict is bound to the subject by hash, a decision made under one policy snapshot does not recompute under a rotated policy — it is provably tied to the policy that was in force. It is strictly additive over the frozen Layer 1: no new cryptographic primitive, the same RFC 8785 JCS + SHA-256 already in use.
Apache-2.0 open source. Install via pip install algovoi-compliance-gate-lite or npm install @algovoi/compliance-gate-lite. Python and TypeScript are byte-for-byte identical on the same input. This is the lite tier — content-addressed, no signature; the commercial Compliance Gate adds Falcon-1024 post-quantum signing, the maintained verifier, and the Proofs zero-knowledge layer.

How it works

Two references, both computed with RFC 8785 JCS canonicalisation and SHA-256: 
payer_ref = "sha256:" + SHA-256(JCS({ address, network }))            # the address goes in, only its hash comes out
gate_ref  = "sha256:" + SHA-256(JCS({ payer_ref, subject_ref, verdict }))
  • payer_ref is the content hash of {address, network}. The cleartext address is screened by your provider but never emitted — only its digest appears, so the bound record carries no PII.
  • verdict is a closed enumeration: ALLOW, REFER, DENY. A REFER (for example a suspicious-activity-report obligation) is byte-distinct from a DENY; a value outside the set is rejected, not hashed.
  • gate_ref binds the verdict and payer to a subject_ref — imported by hash, so the same construction binds to a policy_bound_ref (from Policy Binding), a settlement-action binding_ref, or a retention_chain_ref, of any version.

What a verifier can check

Verifier holdsWhat they can check
A gate_ref + verdict + payer_ref + subject_refThat the verdict was made for exactly this payer and subject (gate_ref recomputes)
The same, with the subject under a rotated policyRotation is detected — the gate_ref fails to recompute under P'
A gate_ref + a different verdictVerdict tamper is detected — ALLOW, REFER, DENY are byte-distinct
No issuer call. No registry lookup. No AlgoVoi service. RFC 8785 JCS, SHA-256, and a JSON parser are the entire dependency. The binding enables rejection; acting on a mismatch (refusing the record) is a runtime verifier decision, not a property of the construction.

Use

from algovoi_compliance_gate_lite import payer_ref, gate_ref, verify

payer = payer_ref("base", "0x…payer")                  # no PII: only sha256 out
# subject is any pinned ref — e.g. a policy_bound_ref from algovoi-policy-binding
ref = gate_ref("ALLOW", payer, "sha256:aaee2091…")      # bind verdict to payer + policy
verify(ref, "ALLOW", payer, "sha256:aaee2091…")         # True
verify(ref, "DENY",  payer, "sha256:aaee2091…")         # False — verdict tamper

import { payerRef, gateRef, verify } from '@algovoi/compliance-gate-lite';

const payer = payerRef('base', '0x…payer');
const ref = gateRef('ALLOW', payer, 'sha256:aaee2091…');
verify(ref, 'ALLOW', payer, 'sha256:aaee2091…');        // true

Conformance

The compliance_gate_lite_v1 vector set (12 vectors) is published in the public corpus — chopmob-cloud/algovoi-jcs-conformance-vectors — with Python and Node runners. It covers the payer reference, the three verdicts, verdict / policy-rotation / payer tamper, and the closed-enumeration and malformed-reference rejections. Python and TypeScript reproduce every value byte-for-byte.

Lite vs commercial

Lite (this package)Compliance Gate (commercial)
LicenceApache-2.0, openCommercial OEM
Verdict bindingcontent-addressed gate_refthe same, Falcon-1024 signed
Privacy proofProofs (zero-knowledge)
Verifierrecompute offlinemaintained verifier
Best foropen integrations, evaluationregulated production, enterprise terms

Adopters

If you build on algovoi-compliance-gate-lite, pin ==0.1.0, anchor a canonical vector hash from compliance_gate_lite_v1, and keep the NOTICE, you qualify for a free v0 licence key for algovoi-mandate-auditor. The gate is scripts/check_v0_adoption.py (dependency + canonical hash anchor + NOTICE + version pin → ISSUE_V0_KEY). Apply: email chopmob@gmail.com.

Relationship to the open substrate

Compliance Gate (lite) sits directly on top of the open JCS Canonicalisation Substrate and composes with Policy Binding, the settlement-action binding, and the Retention Chain. It uses the same RFC 8785 JCS and SHA-256 primitives — no additional cryptographic dependencies.

Specification

The gate_ref construction and its conformance vectors are specified in IETF Internet-Draft draft-hopley-x402-retention-chain§7.8 Compliance Gate Binding and §8.11 Compliance Gate Binding Vectors (rev -05) — additive over the frozen canonicalisation substrate, sole AlgoVoi authorship.