ECZ-ID Compliance Risk

Surface operational-resilience and audit-evidence gaps without claiming compliance.

Free, local-first. No source upload. No sign-in to run a check.

• Surfaces operational-resilience and audit-evidence artefacts.
• Plain-English posture per evidence gap.
• Routes to Resolver lookup and supported setup.

What you can do in under a minute

1. Open or scan the workspace — run ECZ-ID Compliance Risk: Scan Workspace.
2. Review findings in plain English — grouped, with neutral posture.
3. Open Resolver guidance or continue supported setup where relevant.

What it looks for

• Operational-resilience and audit/evidence artefacts (policies, control docs).
• Evidence references relevant to frameworks such as DORA — without judging compliance.
• Whether a resolver reference is present for the evidence surface.

What results mean

Results describe public-proof posture, never a safety, approval, certification or compliance verdict:

resolvable · partial public proof · no public proof reference found yet · review recommended · re-check before reliance · your local policy decides.

There is no “pass/fail”. Local policy decides what is sufficient, and you should re-check before reliance.

Recommended next steps

• Inspect the finding — plain-English detail, no verdict.
• Copy verification guidance — a claim-free snippet you can share.
• Open Resolver — read-only public proof lookup.
• Continue supported setup — hand off to TrustOps (metadata only).
• Open documentation — Developer Gateway.
• Re-check later — re-run before you rely on a result.

Privacy & permissions

See the bundled PRIVACY.md for the full notice.

Frequently asked questions

Is this extension free?

Yes. Every local check is free — you never need to sign in or pay to run one.

Does it upload my source code?

No. No source, prompts, secrets or tool payloads ever leave your device, and there is no telemetry.

Does it read my file contents?

It reads filenames and paths during a scan. It only reads the contents of a file you explicitly ask it to inspect (for example an ecz-*.json you choose to validate).

Does a missing proof reference mean something is unsafe?

No. “No public proof reference found yet” is neutral — it is not a verdict of “unsafe”. It only means resolver-verifiable public proof was not detected.

What does Resolver do?

Resolver is a read-only public proof lookup. The extension can open it so you can check public proof yourself; the extension never writes, activates or decides anything.

Do I need an ECZ-ID before using the extension?

No. You can run every local check without one. An ECZ-ID is only relevant if you later choose supported setup in TrustOps.

What happens when I continue supported setup?

The extension hands off to TrustOps with metadata only. It runs no checkout itself; TrustOps handles acquisition, setup and lifecycle.

Can this extension make a compliance or approval decision?

No. It surfaces posture and routes you to proof. Local policy decides sufficiency; it never certifies, approves or guarantees.

Does it certify DORA compliance?

No. It makes no compliance claim and certifies nothing. It surfaces operational-resilience and audit-evidence gaps for your review.

What evidence artefacts can it surface?

Operational-resilience and audit-evidence references found in local files; it never asserts they satisfy any regulation.

What it does not do

• No source / prompt / secret upload, and no telemetry.
• Writes no canonical truth, decides no BOUND state, creates no entitlement.
• Makes no safety, approval, certification or compliance claim. Never claims DORA, regulatory or legal compliance, and makes no compliance verdict. It surfaces evidence gaps for your review.
• Runs no checkout or payment — commercial actions happen only in TrustOps.

Install & first use

1. Install ECZ-ID Compliance Risk from the Visual Studio Marketplace (publisher EcoCitizenz).
2. Open a project and trust the workspace.
3. Run ECZ-ID Compliance Risk: Scan Workspace and review the grouped findings.

Links & support

• Resolver (read-only proof): https://resolver.ecocitizenz.org
• TrustOps (supported setup): https://trustops.ecocitizenz.com/start
• Developer Gateway (docs & support): https://developers.ecocitizenz.com
• Privacy: see the bundled PRIVACY.md file

ECZ-ID is an independent project and is not affiliated with or sponsored by Microsoft, GitHub, VS Code, OpenAI, Anthropic, Google, or AWS. ECZ-ID helps make identity, authority, and resolver posture easier to review. Local policy decides whether this is sufficient.