Inline cross-references throughout compliance reference

Replaced bottom-of-section 'See also' blocks with inline Org-mode file: links
at the first natural mention of each concept, wiki-style. Links now live in
the body text — compute-marketplace, verification-monopoly, domain-gate-packages,
infrastructure-lock-in, evaluation-harness all linked at their first relevant
usage per section.

ideas/passepartout-economics/compliance-framework-reference.org

@@ -40,13 +40,13 @@ imprisonment). State AGs can also bring civil actions.
 ** Why it matters for the triad
 
 HIPAA is the largest single compliance market in US healthcare — every hospital,
-clinic, insurer, and health-tech vendor must comply. The gate package for HIPAA
+clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
 ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
 constraints. Every PHI access attempt passes through the gate stack, producing
 a machine-checkable audit trail that satisfies the Security Rule's audit control
-requirement automatically. No separate logging infrastructure needed.
+requirement automatically. No separate logging infrastructure needed. Over a
-
+five-year deployment, the accumulated fact store and proof history create
-See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]]
+[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
 
 * SOC 2 (System and Organization Controls 2)
 
@@ -85,14 +85,14 @@ enterprise customers. Misrepresentation of certification status is fraud.
 
 ** Why it matters for the triad
 
-SOC 2 is the entry-level certification for the compute marketplace. A provider
+SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
 needs SOC 2 Type II to sell compute to enterprises whose procurement policy
 requires audited vendors. The gate stack itself maps directly to the Security
 criterion (access controls, audit trails) — the Passepartout instance's
 deterministic gate log serves as the evidence artifact for the audit. No
-separate logging SIEM needed.
+separate logging SIEM needed. This is the prerequisite to the larger
-
+[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
-See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:verification-monopoly.org][Verification monopoly]]
+buy domain-specific gate packages for the same infrastructure.
 
 * GDPR (General Data Protection Regulation)
 
@@ -132,13 +132,14 @@ of action for damages.
 GDPR is the most extraterritorial and aggressively enforced privacy framework.
 The gate stack's principle of least privilege maps naturally to GDPR's data
 minimization requirement. Every data access is gated by a verified rule that
-states the purpose — the proof log is a built-in DPIA artifact. For the compute
+states the purpose — the proof log is a built-in DPIA artifact. For the
-marketplace: a provider processing proofs on EU users' gate data must maintain
+[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
-DPAs with all clients. Proof logs themselves may constitute personal data if
+maintain DPAs with all clients. Proof logs themselves may constitute personal
-they reference natural persons (names in access rules, etc.), creating a
+data if they reference natural persons (names in access rules, etc.), creating
-demand for privacy-preserving proof techniques.
+a demand for privacy-preserving proof techniques. This is why the
-
+[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
-See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:domain-gate-packages.org][Domain gate packages]]
+purpose-boundary gate rules that are independently verified by the provider's
+[[file:evaluation-harness.org][evaluation harness]].
 
 * FedRAMP (Federal Risk and Authorization Management Program)
 
@@ -181,14 +182,17 @@ contracts. FedRAMP is a procurement gate, not a regulatory one.
 FedRAMP is the highest bar and the most expensive certification to obtain.
 Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
 But those that do capture the US government market with minimal competition.
-For the triad: a compute marketplace provider with FedRAMP Moderate or High
+For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
 authorization can sell to every federal agency. The gate stack's deterministic
 audit trail maps directly to FedRAMP's continuous monitoring requirement —
 producing verifiable evidence of control effectiveness on every access, not
-just during the annual assessment. FedRAMP gate package: $100K/yr (highest),
+just during the annual assessment. This is what justifies the
-reflecting the certification cost.
+[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
-
+package, it is the evidence pipeline for a certification that costs $1M-$5M
-See also: [[file:verification-monopoly.org][Verification monopoly]], [[file:domain-gate-packages.org][Domain gate packages]]
+and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
+applies hardest here: an agency that has relied on a FedRAMP-authorized compute
+provider for five years cannot switch without re-running the entire authorization
+process with a new provider.
 
 * What Each Framework Means for Revenue