Every Burooj-deployed application exposes five public endpoints that satisfy EU AI Act Art. 13/14/15 and most SOC 2 CC6.x controls automatically. Anyone — a regulator, an auditor, an insurer, a prospective acquirer of the customer's company — can verify a Burooj app directly, without contacting Burooj or the customer.
Append the path to any Burooj-deployed app's URL. They are unauthenticated,
cached for 5 minutes, and return CORS-permissive JSON
(Access-Control-Allow-Origin: *).
GET /__burooj/manifest
Verifiable Build Manifest. Every file shipped, with its SHA-256 digest, the AI role + model that produced it, and the audits it passed. Signed by Burooj with a GCP-KMS asymmetric key (EC-P256). Hashes are arranged into a Merkle tree so a single file can be verified independently.
GET /__burooj/contract
Executable contract. The set of predicates this build is required to satisfy at all times — written in our DSL plus human-readable Markdown prose. The build refused to ship until each of these passed; the runtime witness checks they keep passing.
GET /__burooj/witness
Runtime witness. Last 30 days of contract violations observed in production, aggregated and stripped of PII. Empty in steady state; populated when reality drifts from the contract.
GET /__burooj/sbom
Software Bill of Materials. CycloneDX 1.5 — every transitive dependency, license, and (in Phase B) CVE rollup. Signed by the same KMS key as the manifest, so a verifier who already trusts one trusts both.
GET /__burooj/audit-log
Signed-diff audit log. Chronological chain of every code change since this build, each one a separately-signed unified diff with the change request that triggered it and the predicate regression report at the time of application.
A tiny HTML index linking all five lives at
/__burooj/index on every deployed app.
| Annex IV requirement | Satisfied by |
|---|---|
| Art. 13 — Transparency | /__burooj/contract |
| Art. 14 — Human oversight | /__burooj/audit-log |
| Art. 15 — Accuracy / robustness | /__burooj/manifest + /__burooj/witness |
| Cyber Resilience Act / EO 14028 SBOM | /__burooj/sbom |
Burooj's category bet is that the next generation of software is the one a CFO can sign off on. Lovable and Bolt and v0 all produce code that runs. None of them produce code with cryptographic provenance — files signed by the AI roles that produced them, audits binding the build to a contract, and runtime witnesses that prove the contract still holds in production.
This page is what a regulator opens when they ask "show me your AI evidence." This page is what a Series-B founder shows their acquiring bank's diligence team. This page is what an enterprise security review replaces a 200-question questionnaire with.
The signing public key is published at the manifest's
burooj_kms_key_version field; resolve it via GCP KMS
getPublicKey on the matching key version. The repo includes
a CLI verifier (scripts/verify-vbm.ts) that auditors and
regulators can run on a clean machine without GCP credentials.
Found a discrepancy? Email trust@burooj.ai. We respond within one business day.