Phosra Spec / Capability
OCSS v1.0 — DraftReceipt
Cryptographically signed events and regulatory reporting.
What Receipt does
One signed receipts layer for every regulator request.
When a state AG, the FTC, or a plaintiff’s attorney asks “show me every block enforced for jurisdiction X under provision Y in the last 90 days,” most platforms can’t answer. Their enforcement events live in a dozen logs across a dozen systems with no chain-of-custody, no signature, and no statute citation.
Receipt is the receipts layer. Every Phosra enforcement decision — every block, every consent grant, every age signal verification, every CSAM detection — is cryptographically signed at the moment it happens, stamped with the statute citation that triggered it, and held in a tamper-evident append-only log. State AG submission portals, NCMEC’s CyberTipline, and the EU eSafety commission reporting channels read directly from Receipt.
A platform’s response to a regulator goes from a six-week subpoena exercise to a 30-second query. The chain-of-custody required for litigation evidence (CA AB 2, NY S8102) is built into every event by default.
How partners plug in
Receipt is a socket. Signed events flow out. Regulator portals read directly.
These are the downstream regulator submission channels and attestation frameworks Receipt writes to — either shipping today, in conversation with a partner, or pending an upstream pilot.
Standards & laws
What Receipt does for each statute.
- 18 U.S.C. § 2258A (CSAM mandatory reporting) — produces the signed event submission package.
- CA AB 1700 (eSafety commissioner reporting) — auto-routes to the state reporting channel.
- CA AB 2 + NY S8102 (platform liability evidence) — captures and preserves harm-event traces.
- FTC consent decrees + Disney 2025 settlement — produces the audit-trail compliance report.
- EU DSA Art. 24 (transparency reporting) — generates the periodic transparency dump.
- Australia eSafety Commissioner (BOSE Codes) — formats reports per the Australian schema.
- 18 U.S.C. § 2258B — preserves CSAM-detection chain-of-custody for prosecution.
Conformance
Adopter Tier 1 certification.
To ship Receipt-conformance for an Adopter Tier 1 certification, your implementation must pass the Receipt suite. Test count is [draft] coming Q3 2026. The suite covers cryptographic signature integrity, statute-citation correctness, append-only log tamper-evidence, and regulator-portal submission interop.
We are co-authoring the suite with our design partners. If you want a seat at the table while the bar is being set, reach out.
Rule list
The 8 rules Receipt ships
Every rule below is implemented by this capability. Pulled directly from the rule registry.
- Intermediary Signature
- Minor Data Sale Audit Log — Signs and archives an audit log for every minor data transaction; regulators replay against the log.
- Parental Attestation Certificate — Emits a signed parental-attestation certificate every regulator can verify against the Charter's public key.
- Sender Signature
- AI Toy Safety Certification — Requires AI-enabled toys to present a current safety certification before activation in a household with minors.
- CSAM Reporting — Automates detection and reporting workflows for child sexual abuse material across platforms.
- eSafety Commission Reporting — Streams enforcement events to the Australian eSafety Commission's required reporting endpoint.
- Platform Liability Evidence Capture — Captures and signs evidence of platform compliance posture for use in adopter liability defense.