Validation — Deep Reference (Gated)

Gated content notice. This page is part of the gated reference surface. Distribution restricted by NDA. Do not mirror to public channels.

Edition gate

Requires NextPDF Enterprise. Get a license.

License feature flag

The Validation/Evidence surface is gated by the enterprise.compliance.evidence capability (Enterprise edition tier). Entitlement resolves through the standard Enterprise path; a denied entitlement denies the feature rather than degrading silently.

Behavior contract

Compliance::assess(string $pdfData, CompliancePolicy $policy, array $context = []): ComplianceReport (static) and Compliance::run(...) (instance, DI-friendly with an injectable Psr\Clock\ClockInterface) apply exactly one policy and return a ComplianceReport. Externally observable rules:

Pure read-only. Every CompliancePolicy::validate(string $pdfData, array $context = []): list<ComplianceFinding> is a pure function: bytes in, findings out. A policy never mutates PDF bytes. This is an architectural invariant that keeps validation distinct from auto-fix.
Severity gate. ComplianceReport::passes is true only when errors === []. Warnings and infos never fail a report. fails is the complement.
Mandatory disclaimer. ComplianceReport::getDisclaimer returns the constant legal-disclaimer text; surfacing it in user-facing output is required by the contract.
Structural-only signature checks. LtvHealthCheck checks DSS structural presence per ISO 32000-2:2020 §12.8.4.3; it does not cryptographically verify embedded OCSP/CRL data. Policies::eidasQualified validates PAdES structure at the PDF level only — qualification depends on the TSP and qualified certificate, which are outside this module.
Regulated-industry policies are structural. FdaPart11Policy and Sec17a4WormPolicy check structural attributes (signature presence, /Reason intent, /M signing time, /Name identity, no JavaScript, audit-trail namespace and hash-chain presence; WORM/DocMDP constraints). They do not establish legal compliance. Sec17a4WormPolicy exposes selectable strictness (Full / Compatible / Structural / PreSign).

Public API surface

composer require nextpdf/enterprise:^3

namespace NextPDF\Enterprise\Validation;

final readonly class Compliance {
    public function __construct(?\Psr\Clock\ClockInterface $clock = null);
    public function run(string $pdfData, CompliancePolicy $policy, array $context = []): ComplianceReport;
    public static function assess(string $pdfData, CompliancePolicy $policy, array $context = []): ComplianceReport;
}

final class Policies {
    public static function pdfA4: CompliancePolicy;          // also pdfA4e, pdfA4f
    public static function padesBaseline: CompliancePolicy;  // also eidasQualified
    public static function ltvHealth: CompliancePolicy;
    public static function zugferd(string $profile = 'BASIC'): CompliancePolicy;
    public static function fdaPart11: CompliancePolicy;
    public static function sec17a4: CompliancePolicy;        // + Compatible/Structural/PreSign
}

final readonly class ComplianceReport {
    public const string LEGAL_DISCLAIMER;
    public function passes: bool;
    public function fails: bool;
    public function totalFindings: int;
    public function getDisclaimer: string;
}

Conformance

These policies check structural attributes against the named standards. The verdict of conformance for ISO/ETSI profiles remains a property of the final file plus an external validator.

Behavior	Reference
Conformance determined against the standard, not the producer	ISO 19005-4:2020 §5.2
Digital signature dictionary / DSS for long-term validation	ISO 32000-2:2020 §12.8
PAdES baseline signature levels	ETSI EN 319 142-1 §5.4.3
EN 16931 profile semantic model (supporting reference)	Factur-X 1.08 (EN 16931)

The FDA 21 CFR Part 11 and SEC 17a-4 policies check structural attributes only; those regulations are outside the verification corpus and carry no Verified conformance claim. The EN 16931 row is a supporting reference (below the Tier-B retrieval floor); it is not a hard conformance claim. NextPDF holds no certification and grants none.

Edge cases & FIPS-mode behavior

A non-PDF or empty input yields error findings rather than an exception in most policies; always check passes and the disclaimer.
zugferd($profile) normalizes profile aliases (BASIC_WL, EN16931); an unknown profile raises an enum error.
These policies perform no signing or verification. FIPS-mode algorithm policy and cryptographic validity are governed by the Security and Signature modules.

NDA scan status

This gated page references the public package contract and externally observable behavior only. It contains no internal namespace paths beyond the public supported class names already listed, no internal trait names, no per-policy rule internals, no runbook filenames, and no internal ticket prefixes. Attested in the co-located NDA checklist.

Core fallback

NextPDF Core Compliance ships byte-stream validators and a grammar cross-check; a zero-finding result is a checked result, not a certificate. The pre-built archival, signature, LTV, and regulated-industry policies with a unified report have no Core-tier equivalent.

Pro fallback

NextPDF Pro Compliance validates EN 16931 / Factur-X / ZUGFeRD in process at the e-invoice layer. It does not provide the pre-built PDF/A-4, PAdES, LTV, FDA Part 11, or SEC 17a-4 structural policies; those ship in the nextpdf/enterprise package only. The Enterprise Compliance external-sidecar surface is a separate, distinct module.

Enterprise boundary note

The entry point, the policy factory, and the report are described at the behavior level. The per-policy rule internals and any internal classification detail are out of scope and are not reproduced here. Cryptographic signature validity is deliberately not in scope — it is the Signature and Security modules’ responsibility.

Deployment boundary

Validation runs in process and local with no network I/O; a policy cannot alter the input. The operator treats PDF bytes from untrusted sources as hostile, surfaces the mandatory report disclaimer in user-facing output, and owns retention and minimization controls for reports and findings, which may carry personal data from signed documents and audit-trail metadata.

Legal-compliance boundary

This module is flagged export_control_class: legal-review-required; legal sign-off is required before any publish: true. Support for a standard is not conformance to it, and conformance is not certification — NextPDF holds no certification and grants none. The FDA 21 CFR Part 11 and SEC 17a-4 policies check structural attributes only and do not establish legal compliance. This reference is not a legal opinion; consult your compliance team for legal sufficiency.