Pub. L. 119-83
M-25-21
M-25-22
FAR 19
Ten reference implementations for SBIR pre-award screening, M-25-21 AI inventories, Strategic Breakthrough Award eligibility, Phase III sole-source justifications, M-25-22 chatbots, and the rest of the gaps the 2025–2026 statutes created — installable as plugins, MCP servers, and skills.
Five distinct gaps, five distinct surfaces. The vendors selling "compliance" are selling dashboards, frameworks, and CRMs — none of them ship the actual statutory check.
NIH already enforces them via NOT-OD-26-074. Miss a list and the award goes away. Most applicants are running the checks in spreadsheets — or running a subset, or not running them at all.
Every covered agency owes one. GAO-26-107828 Recommendation 1 is still open at most CFO Act agencies. The procurement cycle for "a new platform" is longer than the deadline.
Generic LLM deployments don't clear the bar. Custom deployments cost a year and seven figures. Most agencies sit between the two with no compliant option in the middle.
FAR 19.1306 is the rule. The GAO bid-protest corpus is the precedent. Most COs don't have a co-pilot — and the capability dies in the gap between Phase II completion and Phase III award.
None of them ship the check. The reference implementation is missing — and that's the layer that the statutes actually require, the one that turns "we have a framework" into "we ran the screen, here are the artifacts, here are the citations."
Ten products under one namespace, distributed as plugins, MCP servers, and skills the ecosystem can install, fork, or embed. No platform. No SaaS portal. No vendor lock-in.
Every product lives under @dbrf on npm and dbrf/<Name> everywhere else. Same auth, same MCP surface, same skill conventions.
Each check maps to a numbered statute, memo, GAO recommendation, or FAR section. The code's docstring is the citation. When the law changes, the version bumps.
npm package, MCP server, Claude/Copilot skill. Run from your CLI, your CI, your agent, or your existing developer tooling. Same logic underneath.
Applicants run six. Agencies run three. Program offices and COs run one. Investors back the portfolio. The map is below — and each product is built for a specific buyer.
Phase 1 ships 2026-Q2. Phase 2: 91–180 days. Phase 3: 181–365 days. Every product carries a dated phase, a stated gap, and a public design-partner path. No vapor.
Organized by audience. Phase, ship window, and statutory citation noted on each card. Each product has its own page with the full spec.
The pre-award and post-award surfaces a small business actually touches: foreign-risk screening, eligibility checks, OSDBU capability packs, reviewer-rubric mirrors, debrief parsing, and continuous monitoring against the eight statutory denial lists.
Run the eight Pub. L. 119-83 denial lists against your application before you submit — so a foreign-risk hit doesn't kill a six-month proposal.
5 of 8 lists in production today; all decision gates cleared. Remaining: CMIC, OFAC SDN, TSDN — shipping Q2 2026.
Test eligibility against Pub. L. 119-83 §3 before you spend a quarter writing a proposal that won't qualify. Capital partners run the same check.
MVP scaffold; structured eligibility report mapped to §3 criteria; opt-in capital-match layer for matched-funding awards.
Generate the artifacts an OSDBU office actually scans for — capability matrix, past-performance, NAICS alignment, set-aside eligibility.
Counter-positions the structural SAM.gov registration bias. Preview shows what an OSDBU specialist sees on the other side of the desk.
See the legitimate review surface — rubric, program priorities, review-stage workflow — without becoming a vendor that targets reviewers.
Defensive answer to offensive reviewer-targeting tools. Architecturally refuses reviewer-identity surfaces; the ethics posture document is public and signed.
Parse the debrief, identify the findings the GAO corpus says are protestable, and assemble the structured first draft your counsel actually wants.
Built on FAR Part 19 + GAO bid-protest decision corpus. Identifies, does not file. Counsel handoff package designed with bid-protest attorneys.
Watch the same eight Pub. L. 119-83 lists continuously against your awarded portfolio — so a post-award designation doesn't become a post-award termination.
Natural upsell from dbrf/Screen — same code, same citations, monitoring mode. Signal-only alerts; not a list-refresh firehose.
M-25-21 inventories, M-25-22-conformant chatbots, and the two-model verification pattern GAO-26-107828 set as the reference posture for agency acquisition forecasts.
Build an OMB M-25-21 AI use case inventory and close GAO-26-107828 Recommendation 1 — without standing up new infrastructure.
Skill-only distribution. No new ATO. Runs inside the agency's existing Claude or Copilot deployment.
Stand up an OSDBU-facing chatbot that meets OMB M-25-22 from day one — scoped, agency-hosted, audit-ready.
M-25-22 conformance documented paragraph by paragraph. Rights-impact determinations explicitly hand off to humans by design.
Apply GAO-26-107828's two-model extract-then-verify pattern to agency acquisition forecasts — for both publishers and the small businesses planning against them.
Two independent models. Citation-linked line items. Disagreement is surfaced, not silently averaged.
Phase II → III crossings stall on sole-source justifications written from a blank page. dbrf/Transition is the CO-side co-pilot, built on the actual FAR + GAO bid-protest corpus, with every assertion citation-grounded.
Draft sole-source justifications for Phase II → III crossings against the actual FAR Part 19 + GAO bid-protest corpus — instead of writing them from a blank page.
CO-side surface, built for COs. Every assertion carries a citation. Audit trail tracks reviewer accept/edit decisions for the contract file. Pairs with dbrf/Bridge on the applicant side: same intake schema, different outputs, different audiences.
The investor surface is dbrf/Bridge's opt-in capital-match layer plus the broader portfolio narrative. Strategic Breakthrough Awards depend on matching capital; the deal-flow infrastructure on the capital side does not yet exist. dbrf/Bridge is the wedge; the portfolio is the moat.
Pub. L. 119-83 §3 Strategic Breakthrough Awards depend on matching capital. The deal-flow infrastructure on the capital side does not yet exist.
dbrf/Bridge's eligibility check is the wedge. Ten products serving four buyers across federal AI and SBIR compliance — that's the moat. Citation-grounded, open source, distributed across npm/MCP/skill surfaces. No competing reference implementation exists.
Read the portfolio pitch →
Status snapshot as of 2026-05-07. Open source under the @dbrf npm scope — every product is inspectable, every check has a citation, every phase has a date.
The honest answers — what's shipped vs. what's roadmap, why ten products instead of one, why open source on federal compliance tooling, and what dbrf is not.
Because the gaps the statutes left are ten distinct surfaces, with four distinct buyers. A single product would serve one audience well and the others badly. The namespace is the abstraction; the products are the work.
Those track opportunities. dbrf runs the statutory checks. You can use both — most of our design partners do. dbrf is the layer beneath the pipeline.
Drata maps you to frameworks (SOC 2, ISO 27001). dbrf ships the checks the federal statutes require for SBIR pre-award, M-25-21 reporting, M-25-22 chatbot deployment, and Phase III justification. Different statutes, different surface, no overlap.
Three surfaces, your choice. Use the npm package directly, point your MCP-capable agent at the relevant dbrf/<name> server, or load the dbrf-<name> skill in Claude Code. Same logic underneath, every product.
Phase 1, today: Screen (5/8 lists in production), Manifest (skill), Bridge (MVP scaffold). Phase 2, 91–180 days: Beacon, Debrief, Transition. Phase 3, 181–365 days: Mirror, Sentinel, Desk, Horizon. Every product page names its phase and shipping window — no vapor.
No. Four audiences, ten products. Applicants run six; agencies run three; program offices and COs run one; investors back the portfolio. The map is in Section 4 above.
Yes. Every product is open source under the @dbrf scope. You install it where your code lives. We do not require a managed service to use the statutory checks. Hosted options exist for monitoring (Sentinel) and chatbot deployment (Desk); both are optional.
CMIC, OFAC SDN, TSDN. All three are Phase 1, shipping Q2 2026. The current Screen build flags them as "pending" in the output rather than silently passing — you see exactly what was checked and what wasn't.
The denial lists are public. The statutes are public. The implementation being public is how you trust it. Closed-source compliance tooling is a worse adversary problem — you don't know what it checked.
Ten reference implementations for the gaps the 2025–2026 federal AI and SBIR statutes created. Phase 1 ships 2026-Q2 — five denial lists in production today, three more this quarter, two skills running in design-partner deployments. Pick the product for your audience and start.