Skip to main content

CODITECT Compliance Module - Master Orchestration Prompt

Module Name: CODITECT-COMPLIANCE
Version: 1.0.0
Classification: Enterprise Plugin Module
Target Verticals: Healthcare (HIPAA/FDA), Fintech (SOC2/PCI), AI Governance (EU AI Act/ISO 42001)

Executive Context

You are CODITECT-CORE, an autonomous AI development platform. This master prompt orchestrates the complete build of the CODITECT-COMPLIANCE module - an enterprise-grade compliance and regulatory oversight management system that rivals Vanta, Drata, and Hyperproof while providing unique multi-agent orchestration capabilities.

Strategic Positioning

CODITECT-COMPLIANCE differentiates through:

  1. Agentic Compliance Automation - AI agents that autonomously monitor, assess, and remediate compliance gaps
  2. Control Graph Architecture - Graph-based compliance knowledge representation enabling cross-framework mapping
  3. Regulated Industry Focus - Deep vertical specialization for healthcare AI and fintech
  4. Autonomous Evidence Collection - Integration-driven continuous compliance monitoring
  5. CODITECT Integration - Native integration with autonomous code generation ensuring compliant-by-default software delivery

Build Orchestration Sequence

Execute the following prompts in sequence. Each prompt generates artifacts that subsequent prompts depend on.

Phase 1: Foundation Documents

SequencePrompt FileOutput ArtifactDependencies
1.101-product-definition-prompt.mdProduct Definition DocumentNone
1.202-product-requirements-prompt.mdProduct Requirements Document (PRD)1.1
1.303-software-design-document-prompt.mdSoftware Design Document (SDD)1.1, 1.2
1.404-technical-design-document-prompt.mdTechnical Design Document (TDD)1.2, 1.3

Phase 2: Architecture Decisions

SequencePrompt FileOutput ArtifactDependencies
2.105-adr-control-graph-prompt.mdADR-001: Control Graph Database1.3, 1.4
2.206-adr-agent-orchestration-prompt.mdADR-002: Multi-Agent Orchestration1.3, 1.4
2.307-adr-evidence-collection-prompt.mdADR-003: Evidence Collection Pipeline1.3, 1.4
2.408-adr-integration-framework-prompt.mdADR-004: Integration Framework1.3, 1.4
2.509-adr-multi-tenancy-prompt.mdADR-005: Multi-Tenancy & Isolation1.3, 1.4

Phase 3: Full Stack Component Build

SequencePrompt FileOutput ComponentDependencies
3.110-build-domain-models-prompt.mdDomain Models & Schemas2.1-2.5
3.211-BUILD-CONTROL-GRAPH-PROMPT.mdControl Graph Service3.1
3.312-build-evidence-engine-prompt.mdEvidence Collection Engine3.1, 3.2
3.413-build-agent-framework-prompt.mdCompliance Agent Framework3.1, 3.2
3.514-build-integration-connectors-prompt.mdIntegration Connectors3.1, 3.3
3.615-build-api-layer-prompt.mdREST/GraphQL API Layer3.1-3.5
3.716-build-ui-components-prompt.mdUI Components (React/Theia)3.6
3.817-build-trust-center-prompt.mdTrust Center Portal3.6, 3.7

Phase 4: Quality & Deployment

SequencePrompt FileOutput ArtifactDependencies
4.118-build-test-suite-prompt.mdTest Suite (Unit/Integration/E2E)3.1-3.8
4.219-build-deployment-prompt.mdK8s/Docker Deployment Configs3.1-3.8
4.320-build-documentation-prompt.mdTechnical DocumentationAll

Core Domain Model Reference

The CODITECT-COMPLIANCE module operates on these core entities:

entities:
  # Regulatory Foundation
  Regulation:
    description: "Legal/standard framework (SOC2, HIPAA, EU AI Act)"
    relationships: [requires → Control, contains → Article]
    
  Control:
    description: "Atomic compliance requirement"
    relationships: [implemented_by → Policy, verified_by → Test, overlaps → Control]
    
  Policy:
    description: "Organizational policy document"
    relationships: [implements → Control, applies_to → Asset]

  # Asset Management  
  Asset:
    description: "Cloud resource, application, dataset, AI model"
    relationships: [subject_to → Regulation, runs → Test, contains → Data]
    
  AIModel:
    description: "AI/ML model with governance requirements"
    relationships: [classified_as → RiskCategory, trained_on → Dataset, deployed_on → Asset]

  # Evidence & Monitoring
  Test:
    description: "Automated compliance check"
    relationships: [verifies → Control, runs_on → Asset, produces → Evidence]
    
  Evidence:
    description: "Proof of compliance (logs, configs, screenshots)"
    relationships: [supports → Control, collected_from → Asset]
    
  # Risk & Issues
  Risk:
    description: "Identified compliance/security risk"
    relationships: [mitigated_by → Control, impacts → Asset]
    
  Issue:
    description: "Compliance gap or finding"
    relationships: [relates_to → Control, assigned_to → User, remediated_by → Task]

  # Organizational
  Organization:
    description: "Tenant organization"
    relationships: [owns → Asset, subscribes_to → Framework]
    
  User:
    description: "Platform user with roles"
    relationships: [belongs_to → Organization, assigned → Task]

Technology Stack Constraints

All implementations MUST use:

backend:
  language: Python 3.12+
  framework: FastAPI
  database: FoundationDB (primary), Neo4j (control graph)
  queue: Redis Streams
  cache: Redis
  
frontend:
  framework: React 18+ with TypeScript
  ide_integration: Eclipse Theia
  state: Zustand
  ui_components: shadcn/ui + Tailwind
  
infrastructure:
  container: Docker
  orchestration: Kubernetes
  cloud: GCP (primary), AWS (secondary)
  
ai_agents:
  framework: Custom CODITECT Agent Framework
  llm: Claude API (claude-sonnet-4)
  orchestration: Event-driven with FoundationDB

Agent Role Definitions

The compliance module deploys these specialized agents:

AgentRolePrimary ToolsOutput
RegulatoryIntelligenceAgentMonitor regulatory changesweb_search, doc_parserRegulation updates, control mappings
ControlPostureAgentAssess control healthintegration_apis, telemetryPosture scores, gap analysis
EvidenceCollectionAgentGather compliance evidencecloud_apis, logs, configsEvidence items, audit packages
RemediationAgentPlan and execute fixesticketing_apis, automationRemediation tasks, status updates
AuditPreparationAgentPrepare audit materialsdoc_generator, evidence_mapperAudit packages, narratives
VendorRiskAgentAssess third-party riskvendor_apis, questionnairesVendor scores, risk assessments

Framework Coverage Requirements

MVP must support:

tier_1_frameworks:  # Full automation
  - SOC 2 Type II (Trust Services Criteria)
  - ISO 27001:2022
  - HIPAA (Security & Privacy Rules)
  
tier_2_frameworks:  # Partial automation
  - GDPR
  - PCI DSS 4.0
  - NIST CSF 2.0
  
tier_3_frameworks:  # AI Governance (roadmap)
  - EU AI Act
  - ISO/IEC 42001
  - NIST AI RMF
  - FDA SaMD Guidance

Integration Requirements

Must integrate with (MVP):

cloud_providers:
  - AWS (IAM, Config, CloudTrail, GuardDuty)
  - GCP (IAM, Security Command Center, Audit Logs)
  - Azure (AD, Security Center, Monitor)

identity_providers:
  - Okta
  - Google Workspace
  - Azure AD / Entra ID

hris:
  - Rippling
  - BambooHR
  - Workday

ticketing:
  - Jira
  - Linear
  - ServiceNow

code_repos:
  - GitHub
  - GitLab

vulnerability_scanners:
  - Snyk
  - Dependabot
  - Qualys

Success Criteria

The build is complete when:

  1. Functional Completeness

    • Control graph stores 500+ controls across 6+ frameworks
    • Evidence collection runs hourly for 10+ integration types
    • 5+ compliance agents operate autonomously
    • Trust Center serves real-time posture data

  2. Quality Gates

    • Test coverage ≥ 80%
    • API response time P99 < 500ms
    • Agent token efficiency < 1000 tokens/tool call
    • Zero critical security vulnerabilities

  3. Documentation

    • Complete API documentation (OpenAPI 3.1)
    • Architecture Decision Records (5+)
    • User guides for each role
    • Integration guides for each connector

Execution Instructions

For each prompt in the sequence:

  1. Read the prompt file completely
  2. Generate the specified artifact(s)
  3. Validate against stated acceptance criteria
  4. Store in appropriate project structure
  5. Update dependency graph for next prompt

Use checkpoint after each phase completion. If errors occur:

  • Log error with context
  • Attempt retry with modified approach (max 3)
  • Escalate to human review if unresolvable

Project Structure

coditect-compliance/
├── docs/
│   ├── product/
│   │   ├── PRODUCT_DEFINITION.md
│   │   ├── PRD.md
│   │   └── ROADMAP.md
│   ├── architecture/
│   │   ├── SDD.md
│   │   ├── TDD.md
│   │   └── adrs/
│   │       ├── ADR-001-control-graph.md
│   │       ├── ADR-002-agent-orchestration.md
│   │       └── ...
│   └── api/
│       └── openapi.yaml
├── src/
│   ├── domain/
│   ├── services/
│   ├── agents/
│   ├── integrations/
│   ├── api/
│   └── ui/
├── tests/
├── deploy/
└── scripts/

BEGIN EXECUTION WITH PROMPT 01-product-definition-prompt.md