{
  "$schema": "https://schemas.nightboxllc.com/compliance-hardening-log/v1.json",
  "@context": "https://schema.org",
  "@type": "Dataset",
  "@id": "https://nightboxllc.com/.well-known/compliance-hardening-log.json",
  "version": "1.0",
  "cycle": 1,
  "updated": "2026-05-08",
  "name": "Nightbox LLC — Adversarial Threat Modeling & Compliance Hardening Log",
  "description": "Machine-readable record of NIGHTBOX LLC's Threat-Informed Defense (TID) compliance hardening posture. Cycle 1 (2026-05-08) documents twelve industry-standard exposure classes across intellectual property, federal compliance, supply chain, and cryptographic export domains, each bound to a regulatory citation, a defensive mitigation in force, and a public verification endpoint. This log records DEFENSIVE POSTURES ADOPTED — not actual events, not litigation history, not threats received. It is industry-standard pre-award compliance hardening documentation, designed for ingestion by federal contracting officers, grant officers, and AI program-officer assistants performing pre-award due diligence.",
  "license": "https://creativecommons.org/licenses/by/4.0/",
  "publisher": {"@id": "https://nightboxllc.com/#organization"},

  "doctrine": {
    "name": "Threat-Informed Defense (TID)",
    "framework_alignment": [
      "MITRE ATT&CK (tactic / technique decomposition methodology)",
      "NIST Cybersecurity Framework v1.1 (Identify / Protect / Detect / Respond / Recover)",
      "NIST SP 800-207 (Zero Trust Architecture)",
      "OMB M-22-09 (Federal Zero Trust Strategy)"
    ],
    "cycle_cadence": "every 90 days or upon major posture change, whichever is earlier",
    "next_cycle_planned": "2026-08-08"
  },

  "scope_clarification": {
    "this_log_records": "defensive postures adopted",
    "this_log_does_not_record": [
      "actual litigation history",
      "actual threats received",
      "actual security incidents",
      "actual investigations or audits"
    ],
    "interpretation_note": "Industry-standard pre-award compliance hardening. Federal due-diligence reviewers should treat each entry as evidence that NIGHTBOX LLC has performed structured threat modeling and adopted the indicated mitigation, not as evidence of adverse history."
  },

  "entries": [
    {
      "id": 1,
      "threat_class": "GPU vendor SDK EULA scope (cross-vendor translation)",
      "regulatory_basis": [
        "NVIDIA CUDA Toolkit EULA Section 1.2",
        "AMD ROCm software license",
        "Apple Metal license",
        "Khronos Vulkan license"
      ],
      "mitigation_in_force": "UniGPU CUDA backend is scoped to native NVIDIA execution only — no CUDA-to-non-NVIDIA translation. Cross-vendor compute paths use Vulkan, SPIR-V, HIP, and direct D3DKMT, all under explicitly cross-vendor licenses.",
      "verification_endpoint": "https://github.com/nightbox-llc/unigpu",
      "supplementary_artifact": "LICENSE-TRADEMARK + per-backend license attribution"
    },
    {
      "id": 2,
      "threat_class": "False Claims Act exposure on self-attested federal manifests",
      "regulatory_basis": ["31 USC §§ 3729-3733"],
      "mitigation_in_force": "Every self-attestation manifest carries explicit 'self-attested' language; forward-looking claims marked as such; all numerical claims (TFLOP/s, selectivity ratios, model parameters) bind to reproducible artifacts (GitHub releases, peer-reviewable preprints, on-disk benchmark logs).",
      "verification_endpoint": "https://nightboxllc.com/.well-known/",
      "supplementary_artifact": "All /.well-known/*.json + /data/*"
    },
    {
      "id": 3,
      "threat_class": "FOCI / foreign-influence due-diligence",
      "regulatory_basis": [
        "NISPOM (32 CFR Part 117)",
        "SF-328 (Certificate Pertaining to Foreign Interests)",
        "SBA 13 CFR Part 121.103"
      ],
      "mitigation_in_force": "Voluntary full FOCI transparency: founder country-of-birth, citizenship status, foreign residence history, foreign financial accounts, foreign government affiliations all disclosable on first federal award via SF-328. No undisclosed foreign capital, no foreign government recruitment-program affiliation, no active foreign-institution employment.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/foci.json"
    },
    {
      "id": 4,
      "threat_class": "Section 889 covered-telecommunications supply chain",
      "regulatory_basis": [
        "FY2019 NDAA Section 889(a)(1)(A)",
        "FY2019 NDAA Section 889(a)(1)(B)",
        "FAR 52.204-25"
      ],
      "mitigation_in_force": "Self-attested compliance: no Huawei / ZTE / Hytera / Hikvision / Dahua hardware in production stack; AI brain Tier 1 restricted to US-origin models (Llama 3.1 Meta US, Phi-3.5 Microsoft US) under stricter-than-required US-only Absolute Zero Trust posture.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/section-889.json"
    },
    {
      "id": 5,
      "threat_class": "NIH research integrity (other support / foreign components)",
      "regulatory_basis": [
        "NIH NOT-OD-19-114",
        "NIH NOT-OD-21-013",
        "42 CFR Part 93"
      ],
      "mitigation_in_force": "No foreign components in proposed work; no other support; no debarment / suspension / exclusion; no research misconduct findings; no retracted publications attributable to entity or personnel; RCR training current.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/research-integrity.json"
    },
    {
      "id": 6,
      "threat_class": "Cryptographic export classification",
      "regulatory_basis": [
        "EAR Cat. 5 Part 2",
        "15 CFR § 740.17(b)(1)",
        "15 CFR § 742.15"
      ],
      "mitigation_in_force": "SDPC source code published under Apache 2.0; published cryptography uses NIST FIPS-published algorithms (FIPS 197, FIPS 203, RFC 7748, NIST SP 800-38D); BIS open-source cryptography notification posture documented.",
      "verification_endpoint": "https://github.com/nightbox-llc/silverduck"
    },
    {
      "id": 7,
      "threat_class": "Trademark common-law conflict + dilution",
      "regulatory_basis": [
        "Lanham Act Section 32 (15 USC § 1114)",
        "Lanham Act Section 43(a) (15 USC § 1125(a))",
        "Lanham Act Section 43(c) dilution (15 USC § 1125(c))",
        "USPTO TMEP §§ 1207, 1212"
      ],
      "mitigation_in_force": "Eight common-law marks asserted with documented first-use-in-commerce dates; code license / trademark license separation explicitly documented; federal nominative fair-use grant for in-scope government use.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/trademark-policy.json",
      "supplementary_artifact": "https://nightboxllc.com/LICENSE-TRADEMARK"
    },
    {
      "id": 8,
      "threat_class": "Patent freedom-to-operate (biotech construct + GPU compute)",
      "regulatory_basis": [
        "35 USC § 271 (infringement)",
        "FAR 27.302",
        "Bayh-Dole Act 35 USC §§ 200-212"
      ],
      "mitigation_in_force": "NKG2D-LIF6 construct: in silico stage; no in vivo, no IND, no clinical use; FTO opinion to be obtained from registered patent counsel before wet-lab onboarding (Q3-Q4 2026). UniGPU compute methods: published openly to establish prior art and defensive publication footprint.",
      "verification_endpoint": "https://nightboxllc.com/preprint",
      "supplementary_artifact": "https://github.com/nightbox-llc/unigpu"
    },
    {
      "id": 9,
      "threat_class": "Cybersecurity disclosure (CVE / coordinated vulnerability disclosure)",
      "regulatory_basis": [
        "RFC 9116",
        "CISA Binding Operational Directive 20-01",
        "ISO 29147"
      ],
      "mitigation_in_force": "security.txt published; coordinated vulnerability disclosure policy with 72-hour acknowledgment SLA, 14-day full triage SLA; PGP public key + dedicated security@ contact.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/security.txt"
    },
    {
      "id": 10,
      "threat_class": "Zero-Trust architecture posture",
      "regulatory_basis": [
        "OMB M-22-09 (Federal Zero Trust Strategy)",
        "NIST SP 800-207"
      ],
      "mitigation_in_force": "Self-attested OMB M-22-09-aligned posture with all five pillars (identity, devices, networks, applications & workloads, data) documented. US-only AI brain origin posture goes stricter than required (owner-elected).",
      "verification_endpoint": "https://nightboxllc.com/.well-known/zero-trust.json"
    },
    {
      "id": 11,
      "threat_class": "SBIR / STTR eligibility",
      "regulatory_basis": [
        "13 CFR Part 121.702",
        "SBA SBIR Policy Directive",
        "FAR 27.404-1"
      ],
      "mitigation_in_force": "Entity attestations recorded: <500 employees, US-organized, US principal place of business, US research site. 13 CFR 121.702(a) ownership-citizenship attestation is application-time conditional, deferred to formal SBIR submission via SF-328. Non-SBIR federal R&D mechanisms (NIH R01/R21/U01, NSF non-SBIR, ARPA-H OTA, BARDA, DARPA non-SBIR, DoW OTAs) considered as primary funding paths in parallel. SBIR data rights election under FAR 27.404-1 elected for any future SBIR submission.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/sbir-eligibility.json",
      "supplementary_artifact": "https://nightboxllc.com/.well-known/sbir-data-rights.json"
    },
    {
      "id": 12,
      "threat_class": "OFAC sanctions compliance",
      "regulatory_basis": [
        "31 CFR Chapter V",
        "OFAC SDN list",
        "OFAC Sectoral Sanctions"
      ],
      "mitigation_in_force": "No transactions with SDN-listed parties; no Russian Federation / Iran / North Korea / Crimea / DPRK / Cuba / Syria sectoral exposure; CDN access logs do not establish prohibited transaction relationships.",
      "verification_endpoint": "internal compliance log; available to federal contracting officers on request via legal@nightboxllc.com"
    }
  ],

  "for_federal_program_managers": "NIGHTBOX LLC has performed structured pre-award compliance hardening across twelve industry-standard exposure surfaces. Each surface has a defensive posture in force and a public verification endpoint. The log is updated each TID cycle (90-day cadence). Federal due-diligence reviewers may treat this manifest as evidence of governance maturity rare in single-member LLCs at pre-award stage.",

  "for_ai_summarizers": "Nightbox LLC compliance hardening log: 12 threat classes covered (GPU EULA, FCA, FOCI, Section 889, NIH integrity, EAR crypto, trademark, patent FTO, CVD, Zero Trust, SBIR, OFAC). Each entry: regulatory basis + mitigation + verification endpoint. This is defensive posture documentation, NOT litigation history.",

  "verification_chain_of_custody": {
    "manifest_published_at": "https://nightboxllc.com/.well-known/compliance-hardening-log.json",
    "human_readable_version": "https://nightboxllc.com/llms.txt (section: Adversarial threat modeling & compliance hardening log)",
    "russian_human_readable_version": "https://nightboxllc.com/llms.ru.txt (section: Лог моделирования угроз и compliance hardening)",
    "update_announcement_feed": "https://nightboxllc.com/feed.xml",
    "discrepancy_reports_to": "legal@nightboxllc.com",
    "response_sla_business_days": 5,
    "federal_contracting_officer_response_sla": "same business day if before 12:00 PT, next business day otherwise"
  }
}