Compliance — Deep Reference (Gated)

Gated content notice. This page is part of the gated reference surface. Distribution restricted by NDA. Do not mirror to public channels.

Edition gate

Requires NextPDF Enterprise. Get a license.

License feature flag

The Compliance/Evidence surface is gated by the enterprise.compliance.evidence capability (Enterprise edition tier). The capability resolves through the standard Enterprise entitlement path; a missing or expired entitlement denies the feature, it does not silently downgrade behavior.

Behavior contract

ComplianceGateway::validate(string $pdfContent, ComplianceProfile $profile, array $options = []): ?ExternalValidationResult resolves the registered ExternalValidator whose getToolName matches ComplianceProfile::toolName, checks isAvailable, delegates, and returns a normalized ExternalValidationResult. Externally observable rules:

Fail-closed default. If the resolved sidecar is unavailable and optional mode is off, the call raises ComplianceSidecarUnavailableException. The document is not checked; it is never treated as passed.
Optional mode. When optional mode is enabled (environment-controlled), an unavailable sidecar produces a logged warning and a null return. Callers must treat null as “not checked”.
Unknown profile. A profile with no registered validator raises an argument error; it never silently passes.
validateAllProfiles(string $pdfContent, string $toolName): list<ExternalValidationResult> runs every profile mapped to one tool and returns only the results that were produced (skipping nulls).
healthCheck: array<string,bool> reports per-tool reachability without validating a document.
ComplianceGateway::buildComplianceMatrix(list<ExternalValidationResult> $results, string $commitSha): array<string,mixed> is a static reducer producing a schema-versioned matrix with tool versions and a commit SHA for traceability. It records tool output; it asserts nothing.

ExternalValidationResult exposes profile, toolName, conformant, assertionsChecked, nonConformances (list<NonConformance>), pdfSha256, validatedAt, durationMs, plus passes and nonConformanceCount. AiReadyCertifier::certify(string $pdfBytes): array{0: AiReadyCertification, 1: string} returns a readiness assessment and stamped bytes; the second element equals the input unchanged when the level is not_certified. The “certified” level is a NextPDF-internal readiness label, not a standards certification.

VeraPdfValidator parses only JSON sidecar responses (no XML; XXE-clean by construction). DssValidator and ZugferdExternalValidator follow the same ExternalValidator contract over a PSR-18 client.

Public API surface

composer require nextpdf/enterprise:^3

namespace NextPDF\Enterprise\Compliance;

final class ComplianceGateway {
    public function __construct(array $validators, \Psr\Log\LoggerInterface $logger, bool $optional = false);
    public function validate(string $pdfContent, ComplianceProfile $profile, array $options = []): ?ExternalValidationResult;
    public function validateAllProfiles(string $pdfContent, string $toolName): array;
    public function healthCheck: array;
    public static function buildComplianceMatrix(array $results, string $commitSha): array;
}

enum ComplianceProfile: string {
    // PdfA1b..PdfA4f, PdfUa1, PdfUa2, Pdf20Arlington,
    // PadesBasic..PadesArchive, Zugferd24, FacturX108, En16931
    public function standardReference: string;
    public function toolName: string;
}

interface ExternalValidator {
    public function getToolName: string;
    public function isAvailable: bool;
    public function validate(string $pdfContent, ComplianceProfile $profile, array $options = []): ExternalValidationResult;
}

Conformance

The gateway delegates the conformance verdict to an external tool; the design reflects the standards’ own boundary that conformance is determined against the requirements, not asserted by a producer.

Behavior	Reference
Conforming-processor obligation; conformance determined against the standard	ISO 19005-4:2020 §5.2
PDF/A-4 file requirements vs. producer self-assertion	ISO 19005-4:2020 §6.6.4
PDF/UA-2 conformity is a property of the file	ISO 14289-2:2024 §6
PAdES baseline signature levels	ETSI EN 319 142-1 §5.4.3

The external tool produces the verdict. NextPDF holds no certification and grants none.

Edge cases & FIPS-mode behavior

Sidecar timeout or non-200 response surfaces through the validator as an availability failure; the fail-closed default applies.
A malformed sidecar JSON body is a validation failure of the call, not a conformance pass.
This module performs no signing or key custody. FIPS-mode algorithm policy is governed by the Security and Signature modules; signature conformance is delegated to EU DSS, which makes its own determination.

NDA scan status

This gated page references the public package contract and externally observable behavior only. It contains no internal namespace paths beyond the public supported class names already listed, no internal trait names, no per-sidecar bridge internals, no runbook filenames, and no internal ticket prefixes. Attested in the co-located NDA checklist.

Core fallback

NextPDF Core Conformance / Compliance runs in-process byte-stream and grammar checks but does not delegate to an external sidecar and does not certify the result. The external validator gateway has no Core-tier equivalent.

Pro fallback

NextPDF Pro Compliance validates EN 16931 / Factur-X / ZUGFeRD in process with no external sidecar. The Pro in-process e-invoice validator and the Enterprise external ZUGFeRD sidecar are distinct surfaces; the external validator gateway ships in the nextpdf/enterprise package only.

Enterprise boundary note

The gateway, the profile-to-tool resolution, the fail-closed policy, and the result normalization are described at the behavior level. The per-sidecar bridge internals and the tool-specific response translation are out of scope and are not reproduced here.

Deployment boundary

The full PDF byte stream is transmitted to the configured sidecar over a PSR-18 client. The operator hosts and operates the sidecars, pins them, restricts their network reach, validates their TLS, and controls the environment that enables optional mode. Sidecar endpoints are a trust boundary; residency and retention controls for documents, results, and logs are the operator’s responsibility.

Legal-compliance boundary

This module is flagged export_control_class: legal-review-required; legal sign-off is required before any publish: true. The external tool produces the verdict — NextPDF holds no certification and grants none, and support for a profile is not conformance to it. This reference is not a legal opinion; consult your compliance team to judge regulatory sufficiency.