{"title":"The Compliance Receipt Envelope (CRE) Standard v1.0","thesis":"Compliance is not a workflow. It is a side effect of transacting. Every SOC 2 / ISO 27001 / HIPAA / GDPR / EU AI Act control is reducible to a tuple of fields on a cryptographically-signed envelope. If the envelope validates, the control is machine-attested.","standards_replaced":["SOC 2 Type II annual audit (replaced by per-transaction CRE)","ISO 27001 surveillance audits (replaced by continuous CRE coverage)","HIPAA log-review burden (replaced by CRE audit trail)","21 CFR Part 11 e-signature (replaced by ML-DSA-65 dual-sig)","Business Associate Agreements (replaced by CRE flow-down)","GDPR Article 30 records (replaced by CRE export)"],"standards_extended":["EU AI Act high-risk attestation (CRE = perpetual conformity record)","NIS2 incident reporting (CRE.404.a auto-fires)","DORA ICT third-party register (CRE flow-down satisfies)","eIDAS2 qualified signature (ML-DSA-65 satisfies QES requirements)"],"key_properties":["Offline-verifiable — auditor verifies without calling Hive","Post-quantum — ML-DSA-65 (FIPS 204) signed","Cross-framework — one envelope satisfies up to 13 frameworks","Continuous — every transaction is its own audit","Tamper-evident — SHA3-256 canonical hash binds all fields","Privacy-preserving — only hashes are envelope-resident"]}