WINDI / Dokumentenintegritat Document Integrity Integridade Documental
Chapter 6 — Compliance 2026-01-31

Dokumentenintegritats-Framework Document Integrity Framework Framework de Integridade Documental

WINDI v0.1 Spezifikation & Implementierung WINDI v0.1 Specification & Implementation Especificacao e Implementacao WINDI v0.1

"KI verarbeitet. Mensch entscheidet. WINDI garantiert." "AI processes. Human decides. WINDI guarantees." "IA processa. Humano decide. WINDI garante."

— WINDI Operational Principle

6.1 Problemstellung 6.1 Problem Statement 6.1 Declaracao do Problema

Traditionelle Dokumentenmanagementsysteme behandeln Inhalt und Metadaten als getrennte Einheiten. Ein PDF kann modifiziert, Metadaten gefalscht werden, und es gibt keinen mathematischen Beweis, der das Dokument an seinen Governance-Kontext bindet. Traditional document management systems treat content and metadata as separate entities. A PDF can be modified, metadata falsified, and there exists no mathematical proof binding the document to its governance context. Sistemas tradicionais de gestao documental tratam conteudo e metadados como entidades separadas. Um PDF pode ser modificado, metadados falsificados, e nao existe prova matematica vinculando o documento ao seu contexto de governanca.

Dies schafft ein grundlegendes Vertrauensproblem in institutionellen Workflows, besonders kritisch unter den Anforderungen des EU AI Act fur KI-gestutzte Dokumentenerstellung. This creates a fundamental trust problem in institutional workflows, particularly critical under the EU AI Act requirements for AI-assisted document generation. Isso cria um problema fundamental de confianca em fluxos de trabalho institucionais, particularmente critico sob os requisitos do EU AI Act para geracao de documentos assistida por IA.

Forschungsfrage Research Question Questao de Pesquisa

Wie konnen kryptografische Integritatsmechanismen direkt in Dokument-Workflows eingebettet werden, um eine verifizierbare Governance-Inhalts-Bindung zu schaffen, die Offline-Regulierungsverifizierung ermoglicht? How can cryptographic integrity mechanisms be embedded directly into document workflows to create verifiable governance-content binding that enables offline regulatory verification? Como os mecanismos de integridade criptografica podem ser incorporados diretamente nos fluxos de trabalho de documentos para criar vinculacao verificavel de governanca-conteudo que permita verificacao regulatoria offline?

6.2 WINDI Envelope v0.1 6.2 WINDI Envelope v0.1 6.2 WINDI Envelope v0.1

Drei-Komponenten-Architektur Three-Component Architecture Arquitetura de Tres Componentes

Component Description
DOCUMENT ID, Version, Content Hash
GOVERNANCE Issuer, Actor, Policy, Jurisdiction
INTEGRITY Digests, Hash Chain, Signature

Kryptografische Kette Cryptographic Chain Cadeia Criptografica

body_sha256 + governance_digestdoc_hashstruct_sig

Step Operation Output
1 SHA-256(document_bytes) body_sha256
2 SHA-256(C14N(governance)) governance_digest
3 SHA-256(gov_digest + body_sha) doc_hash
4 HMAC-SHA256(secret, doc_hash) struct_sig

Kanonisches JSON (C14N) Canonical JSON (C14N) JSON Canonico (C14N)

Um deterministisches Hashing zu gewahrleisten, verwendet Governance-Metadaten kanonische JSON-Serialisierung: To ensure deterministic hashing, governance metadata uses Canonical JSON serialization: Para garantir hashing deterministico, metadados de governanca usam serializacao JSON canonica: 

def canonical_json(data: Dict) -> bytes:
    return json.dumps(
        data,
        sort_keys=True,
        separators=(",", ":")
    ).encode("utf-8")

Dies eliminiert JSON-Ordnungsmehrdeutigkeit — identische Objekte erzeugen immer identische Hashes. This eliminates JSON ordering ambiguity — identical objects always produce identical hashes. Isso elimina ambiguidade de ordenacao JSON — objetos identicos sempre produzem hashes identicos.

6.3 Produktions-Envelope-Beispiel 6.3 Production Envelope Sample 6.3 Exemplo de Envelope de Producao 

{
  "schema": "windi.envelope",
  "schema_version": "0.1",
  "document": {
    "document_id": "BABEL-20260129213544",
    "version_id": "v1",
    "content_type": "application/pdf",
    "body_sha256": "c1a86358d0b9fa155a7327c9eb89575f..."
  },
  "governance": {
    "issuer_id": "windi.publishing.de",
    "responsible_actor_id": "WINDI-CEO-001:Jober Mogele Correa",
    "intent_code": "export.pdf",
    "policy_reference": "eu.ai.act.article.52",
    "jurisdictions": ["DE", "EU"],
    "timestamp_issued": "2026-01-31T12:46:17+00:00"
  },
  "integrity": {
    "governance_digest": "73069ea070249546cc5ebb754f5b9665...",
    "doc_hash": "6ab6bc50bf3cc46dcc8ce55335007e7a...",
    "struct_sig": "e7f92e85f9d50bd40d675016226d972c...",
    "algo": "sha256+hmac-sha256"
  }
}

6.4 EU AI Act Konformitat 6.4 EU AI Act Compliance 6.4 Conformidade com o EU AI Act

EU-Artikel-Zuordnung EU Article Alignment Alinhamento de Artigos da UE

  • Article 52 (Transparency): governance.intent_code, governance.policy_reference
  • Article 17 (Quality Management): governance.responsible_actor_id, immutable binding
  • Article 61 (Post-market Monitoring): governance.timestamp_issued, audit trail
  • Article 13 (User Transparency): Human Authorship Notice in document

6.5 Implementierungsergebnisse 6.5 Implementation Results 6.5 Resultados da Implementacao

Component Status
Canonicalization Module (C14N) Operational
Envelope Generation Automatic on Export
Governance Binding SHA-256 + HMAC
API Verification Endpoint /api/windi/verify/{id}
Offline Verification Possible
EU AI Act Mapping Articles 13, 17, 52, 61

6.6 Live-Endpunkte 6.6 Live Endpoints 6.6 Endpoints Ativos

Production API

GET /api/windi/status Integration status
GET /api/windi/envelope/{id} Retrieve envelope
GET /api/windi/verify/{id} Verify integrity

Test Live API

6.7 Verifikationsmodell 6.7 Verification Model 6.7 Modelo de Verificacao

Offline-Verifizierung (Keine Geheimnisse erforderlich) Offline Verification (No Secrets Required) Verificacao Offline (Sem Segredos Necessarios) 

# Regulator receives: document.pdf + envelope.json

# Step 1: Verify content hash
sha256sum document.pdf
# Compare with envelope.document.body_sha256

# Step 2: Verify governance digest
# Parse envelope.governance -> C14N -> SHA-256
# Compare with envelope.integrity.governance_digest

# Step 3: Verify binding hash
# SHA256(governance_digest + body_sha256)
# Compare with envelope.integrity.doc_hash

Menschliche Autorenschaft Human Authorship Notice Aviso de Autoria Humana

Dieses Dokument wurde von menschlichen Autoren erstellt und uberpruft. KI-Unterstutzung wurde unter menschlicher Aufsicht und Kontrolle verwendet. Endgultige Entscheidungen und Inhaltsfreigabe: Menschliche Verantwortung. This document was created and reviewed by human authors. AI assistance was used under human supervision and control. Final decisions and content approval: Human responsibility. Este documento foi criado e revisado por autores humanos. Assistencia de IA foi usada sob supervisao e controle humano. Decisoes finais e aprovacao de conteudo: Responsabilidade humana.

"KI verarbeitet. Mensch entscheidet. WINDI garantiert." "AI processes. Human decides. WINDI guarantees." "IA processa. Humano decide. WINDI garante."