Security narrative

Plain-language overview for board readers, with technical detail for security auditors. Factual posture — no marketing copy.

1. No cloud data transfer

Board paper text never leaves the local laptop. Inference runs on the Intel NPU via OpenVINO 2026.1.0 against Mistral-7B-Instruct-v0.3. Full narrative lands in D7.

2. Audit chain construction

Each pass produces a leaf hash (SHA-256 over canonical JSON). Leaves are combined into a Merkle root. The chain anchors against AI Act Art. 12 (record-keeping for high-risk AI systems) and supports DORA Arts. 5/6/8 (board accountability, ICT risk management framework, asset identification). Full narrative lands in D7.

3. NPU isolation

Physical inference boundary. Full narrative lands in D7.

4. Stack hardening

Next.js 16.2.6 + React 19.2.6 (May 2026 patch floor; covers CVE-2025-29927 middleware bypass, CVE-2026-44581 CSP nonce XSS, CVE-2026-23870 RSC Flight DoS). CSP with per-request nonces; HSTS on M2; HttpOnly+Secure+SameSite=Strict session cookies. Full narrative lands in D7.

5. Compliance roadmap

SOC 2 trajectory begins Phase 2k+. Full narrative lands in D7.