Technical, regulatory, and domain terms used in licit and its documentation.
Regulatory terms
| Term | Definition | Context in licit |
|---|
| EU AI Act | Regulation (EU) 2024/1689. First comprehensive AI regulation worldwide. In force since August 2024, gradual application until 2027. | Regulatory framework evaluated by licit verify --framework eu-ai-act |
| FRIA | Fundamental Rights Impact Assessment. Impact assessment on fundamental rights required by Art. 27 of the EU AI Act for high-risk systems. | Generated with licit fria |
| Annex IV | Annex IV of the EU AI Act. Defines the technical documentation required for AI systems: purpose, design, development, testing, performance. | Generated with licit annex-iv |
| Deployer | Person or organization that deploys an AI system for use. Distinct from the provider who develops it. | licit evaluates deployer obligations (Art. 26) |
| High-risk system | AI system classified as high-risk under Annex III of the EU AI Act. Subject to additional compliance requirements. | The FRIA is mandatory for these systems |
| OWASP Agentic Top 10 | List of the 10 main security risks for applications using AI agents (2025). Published by OWASP Foundation. | Framework evaluated by licit verify --framework owasp |
| NIST AI RMF | AI Risk Management Framework (AI 100-1). NIST’s AI risk management framework. | Planned for V1 |
| ISO/IEC 42001 | International standard for AI management systems. Defines requirements for establishing, implementing, and improving AI management systems. | Planned for V1 |
| Compliance rate | Percentage of evaluable requirements that are met. Formula: compliant / (total - n/a - not_evaluated) * 100 | Shown in reports and licit status |
Technical terms
| Term | Definition | Context in licit |
|---|
| Provenance | Origin and authorship of code. Tracking of which code was written by humans, generated by AI, or a combination. | licit trace analyzes provenance |
| Heuristic | Rule based on observable signals (not certainties) to infer a classification. licit uses 6 weighted heuristics to classify commits as AI/human/mixed. | Heuristics engine in provenance/heuristics.py |
| Attestation | Cryptographic integrity verification. In licit: HMAC-SHA256 for individual records, Merkle tree for batches. | provenance.sign: true in config |
| Merkle tree | Binary tree data structure where each node is the hash of its children. Allows verifying integrity of data sets. | Used to sign provenance batches |
| HMAC-SHA256 | Hash-based Message Authentication Code with SHA-256. Cryptographic signature that proves data has not been altered. | Signing of individual provenance records |
| SARIF | Static Analysis Results Interchange Format. OASIS standard format for static code analysis results. Version 2.1.0. | Read by VigilConnector |
| SBOM | Software Bill of Materials. Formal inventory of software components. CycloneDX format used by vigil. | Read by VigilConnector (sbom_path) |
| CycloneDX | OWASP standard for SBOM. JSON/XML format for describing software components, their versions, and vulnerabilities. | Supported SBOM format |
| JSONL | JSON Lines. Format where each line is an independent JSON object. | Provenance store (.licit/provenance.jsonl) |
| Merge + Dedup | Store that merges new records with existing ones, keeping only the most recent per file. Prevents unlimited growth. | ProvenanceStore |
AI agent terms
| Term | Definition | Context in licit |
|---|
| AI agent | AI system that operates semi-autonomously or autonomously to perform tasks. In software development: Claude Code, Cursor, Copilot, Codex, architect. | licit tracks code generated by agents |
| Guardrail | Control that limits the behavior of an AI agent. Examples: protected files, blocked commands, code rules. | Extracted from architect config, counts for compliance |
| Quality gate | Automated verification that must pass before accepting an agent’s output. Examples: lint, typecheck, test. | Extracted from architect config |
| Human review gate | Checkpoint that requires human approval. Example: branch protection with required reviews on GitHub. | Detected from CI/CD config |
| Dry-run | Execution mode that simulates actions without applying changes. Allows previewing agent behavior. | Detected from architect config |
| Rollback | Ability to revert changes made by an agent. Typically via git revert or similar mechanisms. | Detected from architect config |
| Session log | Record of an AI agent’s work session. Contains tools used, files modified, timestamps. | Claude Code session reader |
| Budget limit | Spending limit on tokens/API calls to control an agent’s resource consumption. | Extracted from costs.budget_usd |
| Term | Definition |
|---|
| licit | Regulatory compliance CLI tool for teams using AI in software development |
| EvidenceBundle | Dataclass with 18 fields that groups all collected evidence from the project |
| ProjectContext | Dataclass that describes the auto-detected project context (languages, frameworks, CI/CD, etc.) |
| ControlRequirement | An individual requirement of a regulatory framework (e.g., Art. 9(1) of the EU AI Act) |
| ControlResult | Result of evaluating a requirement against the project (status, evidence, recommendations) |
| GapItem | Identified compliance gap with actionable recommendation, estimated effort, and suggested tools |
| Connector | Read-only integration with external tools (architect, vigil) that enriches evidence |
| ConnectorResult | Result of a connector execution (files read, errors) |
| ComplianceFramework | Protocol that defines the interface for regulatory framework evaluators |
| ConfigChange | Change detected in an AI agent configuration file, with MAJOR/MINOR/PATCH severity |