Audit ID: CSVA-20260614-9BE11290 | Generated: 2026-06-17 09:47 UTC
Technical topology, AI density, dependency exposure, and structural health analysis.
L'analyse a révélé la structure physique, et a extrait la densité de l'intelligence embarquée.
| Indicateur DNA | Diagnostic Expert | Valeur / Score |
|---|---|---|
| Topology | 🕸️ MICRO-MESH | See glossary below |
| Code Maturity | MODERATE | Core logic / boilerplate ratio |
| AI Logic Density | 30.0% | AI Density = AI-logic LOC / Total LOC |
| Normalized Complexity Index | 0.05 / 1.0 | Normalized Complexity Index = raw McCabe complexity / max observed. Raw complexity: 1 = trivial, 5-10 = moderate, >20 = high risk. |
| Technical Maturity Index | 78.21 / 100 | Formula: 30% doc coverage + 30% implementation + 20% dependency health + 20% governance |
| Structural Debt | 21.8% | derived from skeleton pattern analysis |
| Deployment Exposure | Cloud indicators detected | Confidence: Moderate — inferred from 7 technical signals (cloud APIs, CDN, remote endpoints). Does not assert actual data residency or hosting location. |
Topology Glossary:
| Type | Criteria | Characteristics |
|---|---|---|
| MONOLITH | < 20 modules | Single deployable unit, low coupling |
| MODULAR | 20–100 modules | Distinct components, moderate coupling |
| MICRO-MESH | > 100 interconnected modules | High modularity, distributed logic |
| DISTRIBUTED | Multi-service architecture | Service boundaries, network communication |
⚠️ DFI ≠ Compliance Score. These are two independent dimensions:
- DFI measures truthfulness — does the documentation make claims the code contradicts?
- Compliance Score measures evidence maturity — how strongly are required controls proven?
A system can have DFI=100% (no false claims) and still score 54/100 (insufficient evidence). Both are expected when governance documentation is absent.
The **Documentation Fidelity Index** measures whether documented controls are contradicted by actual code.
DFI Score : 100.0%
Interpretation : ✅ High Fidelity — no documented controls were contradicted by code.
Formula:
```
DFI = controls_where_DOC_and_CODE_agree / controls_where_DOC_makes_a_claim × 100
DFI = 100% → documentation makes no false claims (but may be silent on many controls)
DFI < 100% → documentation asserts compliance that code does not support (❌ ABSENT risk)
Note: DFI is unaffected by controls absent from both DOC and CODE.
Those are Evidence Coverage Gaps — a separate metric.
```
✅ No true DOC↔CODE contradictions detected — documentation does not claim controls that code contradicts. SCI = 100% is valid.
Evidence gaps (6 shown) — not observed in analysed artefacts:
ℹ️ No evidence of these controls was found in the analysed artefacts (source code, configuration, documentation). This does not assert they are absent from the full system — only that no evidence was detected in the current audit scope. These gaps increase the Evidence Coverage deficit but do not reduce the Documentation Fidelity Index (DFI), since no false claims were detected.
| Control | Article | Status |
|---|---|---|
| Agent Over Privilege | Article 14 | ABSENT |
| Cyber Pickle Risk | Article 15 | ABSENT |
| Error Handling | Article 15 | ABSENT |
| Prompt Guardrail | Article 15 | ABSENT |
| Risk Mitigation | Article 9 | ABSENT |
| Audit Trail | Article 12 | ABSENT |
La Semantic Collision Index (100.00%) mesure les contradictions actives CODE ↔ DOC. Un score élevé indique l'absence de direct collision. L'écart d'intégrité de 100.00% reflète les points sans implémentation technique (promesses documentaires seules), et non des contradictions volontaires.
Software supply chain analysis identified by the collision engine:
Not detectedNoneThese four axes are independent — a system can score well on one axis and poorly on another.
High documentation fidelity (Axis C) does not imply regulatory compliance (Axis A).
| Axis | Score | What it measures |
|---|---|---|
| A — Regulatory Compliance | 79 / 100 | EU AI Act article-level conformance (Art. 9-15 evidence found vs. required) |
| B — Evidence Strength | **72.5 ** | Runtime or static evidence quality (E0-E6 levels) |
| C — Documentation Fidelity | 100.0% | DOC-CODE consistency — DFI / SCI (absence of contradictions, ≠ completeness) |
| D — Technical Maturity | 78.21 / 100 | Software architecture quality (complexity, debt, dependency health) |
⚠️ Reading guide: "Regulatory Compliance = 79/100"
means EU AI Act controls are 79% evidenced across audited articles.
"Documentation Fidelity = 100.0%" means documentation and code are consistent
— it does not mean the system is compliant.
A high Axis C with a low Axis A means: honest documentation of an incomplete implementation**.
Segmentation from static code analysis — must sum to 100%.
| Component | % | Definition |
|---|---|---|
| CORE LOGIC | 32.0% | Weights, prompts, decision algorithms, inference logic |
| STUB_IMPLEMENTATION | 21.8% | Structural code without business value (stubs, generated code, boilerplate) |
| SUPPORT | 16.7% | API connectors, database drivers, interfaces |
| OTHER / UNCLASSIFIED | 29.5% | Documentation, config, test infrastructure |
Expert Note: Architecture topology detected: 🕸️ MICRO-MESH.
✅ Balance between sovereign code and third-party services is acceptable.
Structural debt of 21.8% (derived from skeleton pattern analysis) requires technical documentation update to reflect actual system state (Art. 11).
# 🧠 SANTÉ TECHNIQUE DE L'ACTIF
REQUIRES_REVIEW
UNCERTAIN_COMPLIANCE
57.2 / 100
MEDIUM
Hybrid state requiring additional audit
LEGAL STATUS: TECHNICAL EVIDENCE REPORT — This document is an automated factual report. It documents technical alignment with EU AI Act control points. It does not constitute legal advice or regulatory certification.