Proof · Article 12 demo bundle

An Article 12 bundle.
Signed. Downloadable. Yours to break.

Most "Article 12 compliance" claims are bullet points. This is the actual artifact — a Merkle-rooted, Ed25519-signed JSON bundle from a real charter run, with a verifier that runs entirely in your browser. Hand it to your compliance team and let them check the math.

Download article12-demo.json Verify it in your browser

Pure client-side · no network calls

What's inside

A regulator-handable
personnel file.

The shipped bundle covers a single charter run: a EU pilot card-on-file checkout agent that fires a charge, a settle, and a refund on the Stripe sandbox rail — bookended by mission.start and mission.complete. Five events. One Merkle root. Six signatures. ~3 KB.

Events

5

mission · hold · settle · refund · complete

Signatures

6

5 per-event + 1 bundle-level

Retention

6 mo.

Article 12 minimum, extensible

Crypto

Ed25519

SHA-256 · Merkle root

article12-demo.json · excerpt

// version 2 of the MnemoPay Article 12 bundle schema
{
  "version": 2,
  "built_at": "2026-05-17T09:14:34.000Z",
  "meta": {
    "agent": {
      "did": "did:mp:4ef34eb9fa22942827a2e3eeb4db12e9",
      "publicKeySpkiDerHex": "302a300506032b65700321...",
      "label": "MnemoPay Article 12 Demo Key — NOT a production issuer key"
    },
    "charter": {
      "name": "checkout-bot-eu-pilot",
      "budgetMaxUsd": 100.0,
      "hash": "sha256:..."
    },
    "retention": { "months": 6, "legalBasis": "EU AI Act Article 12" }
  },
  "events": [
    { "kind": "mission.start",    "signature": "<ed25519>" },
    { "kind": "payment.hold",    "payload": { "rail": "stripe-sandbox", "amountUsd": 24.99 } },
    { "kind": "payment.settle",  "parent_id": "<hold uuid>" },
    { "kind": "payment.refund",  "payload": { "reason": "customer.dispute.withdrawn" } },
    { "kind": "mission.complete", "payload": { "status": "ok" } }
  ],
  "merkle_root": "deda17d936e7105ba66f9dc1904f779b...",
  "signature": {
    "alg": "Ed25519",
    "over": "canonicalize({meta, merkle_root, built_at})",
    "by": "did:mp:4ef34eb9...",
    "value": "<base64>"
  }
}

→ Full file: /proof/article12-demo.json

Who this is for

Three
reading angles.

Chief Compliance Officer / GRC lead

You're sizing up August 2026. You need to know whether MnemoPay's Article 12 claim is real or a slide deck. Download the file. Hand it to your auditor. The same bundle that ships in production lands in their inbox — only the trust anchor (issuer key) changes.

Procurement / vendor risk

Most AI vendors will hand you an SOC 2 PDF and a Trust Center page. This is a different artifact: a single signed object containing every agent action, recomputable to the byte. Add it to your RFP checklist as "vendor produces a Merkle-rooted event bundle verifiable without their cooperation."

Engineering lead evaluating MnemoPay

The bundle shape is what your charter runs already emit. Pipe the JSON into your own pipeline, your own retention store, your own SIEM. The verifier here is ~10 KB of vanilla JS — copy it, fork it, ship your own.

How to verify

Three steps,
all in your browser.

01

Download the bundle

Save article12-demo.json locally. ~3 KB. It's a plain signed JSON file — no zip, no envelope.

Download

02

Open the verifier

The verifier page is pure HTML + ~10 KB of vanilla JS. WebCrypto does the SHA-256 and Ed25519 work; nothing leaves your browser.

Open verifier

03

Get a verdict

Drop the file. Watch six checks light up: parse, version, Merkle root recompute, DID self-cert, per-event signatures, bundle signature. Green = VALID.

Trust model

A signed bundle
is not a trust anchor.

A Merkle root + Ed25519 signature prove one thing: whoever held the private key vouches for this exact event stream. Verification is mechanical; trust is a separate question.

For this public demo, the issuer is a known demo key whose private key is published in the generator script. Anyone can produce a forged "VALID" bundle with it — that's intentional. The demo proves the mechanism. Trust in production comes from the customer's own wallet, anchored in their own key-management process (KMS, HSM, or self-managed).

The mapping in production:

→Demo bundle: signed by the published demo key. Verifies the math. Does not verify the issuer.
→Production bundle: signed by the customer's Wallet. Public key registered out-of-band (DID document, signed PDF, customer trust page). Verifier checks both math and issuer.
→Audit-as-a-Service: MnemoPay holds the key in a managed HSM. Issuer is MnemoPay's published did:mp:*. Customer gets bundles signed under that anchor.

Reproducibility

Regenerate the bundle yourself.

The bundle is byte-deterministic. The generator script is open. Clone, run, diff. If your re-generated file doesn't match ours, that's a bug we want to know about.

regenerate.sh

# Build the SDK once
git clone https://github.com/mnemopay/mnemopay-sdk && cd mnemopay-sdk
npm install && npm run build

# Run the deterministic generator
cd ../mnemopay-site
node scripts/generate-article12-demo.mjs

# Compare byte-for-byte against the shipped file
diff proof/article12-demo.json <(curl -s https://mnemopay.com/proof/article12-demo.json)
# → no output means identical

Want this for your agents?

Article 12 bundles are built into the Apache-licensed SDK. Pro tier adds managed retention, signed-by-MnemoPay HSM anchoring, and the bundle export endpoint. Audit-as-a-Service runs the whole chain on your behalf.

See pricing Compliance overview

An Article 12 bundle. Signed. Downloadable. Yours to break.

A regulator-handablepersonnel file.

Threereading angles.

Three steps,all in your browser.

A signed bundleis not a trust anchor.