mirror of
https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git
synced 2026-06-17 23:09:35 +00:00
a319feb6d7
Governance layer (14 docs): - MASTER_OPERATING_PROMPT.md — operating constitution (five planes, six tracks, policy classes) - docs/ai-operating-model.md — five-plane architecture (Decision/Execution/Trust/Data/Operating) - docs/dealix-six-tracks.md — six strategic tracks (Revenue/Intelligence/Compliance/Expansion/Operations/Trust) - docs/governance/execution-fabric.md — OpenClaw execution plane deep dive - docs/governance/trust-fabric.md — trust plane with contradiction engine + evidence packs - docs/governance/saudi-compliance-and-ai-governance.md — PDPL/ZATCA/SDAIA/NCA live controls - docs/governance/technology-radar-tier1.md — Core/Strong/Pilot/Watch/Hold classification - docs/governance/partnership-os.md — alliance lifecycle management - docs/governance/ma-os.md — M&A corporate development lifecycle - docs/governance/expansion-os.md — geographic and vertical growth - docs/governance/pmi-os.md — post-merger integration framework - docs/governance/executive-board-os.md — executive decision surfaces - docs/execution-matrix-90d-tier1.md — 90-day sprint execution plan - docs/adr/0001-tier1-execution-policy-spikes.md — 8 architectural decisions Backend (3 models, 6 services, 8 API routes): - Contradiction Engine — detect/track system conflicts - Evidence Pack System — tamper-evident audit proof with SHA256 - Saudi Compliance Matrix — live PDPL/ZATCA/SDAIA/NCA controls - Executive Room — unified executive decision surface - Connector Governance — integration health monitoring - Model Routing Dashboard — LLM provider metrics - Forecast Control Center — actual vs forecast across tracks - Approval Center — enhanced approval queue with SLA Frontend (9 components): - Executive Room, Evidence Pack Viewer, Approval Center - Connector Governance Board, Saudi Compliance Dashboard - Actual vs Forecast Dashboard, Risk Heatmap - Policy Violations Board, Partner Pipeline Board Tooling: - scripts/architecture_brief.py — preflight validation (40/40 checks pass) - Updated CLAUDE.md and AGENTS.md with governance references https://claude.ai/code/session_01W1rJthWDkasijTdXCfxVHs
7.5 KiB
7.5 KiB
Saudi Compliance & AI Governance
Parent:
MASTER_OPERATING_PROMPT.md
Plane: Trust | Tracks: Compliance, Trust
Version: 1.0 | Status: Canonical
Overview
Dealix operates as a Saudi-first platform. Compliance is not optional or aspirational — it is enforced at the system level. This document defines the regulatory landscape and how each regulation maps to live controls.
1. PDPL — Personal Data Protection Law
Authority: SDAIA (Saudi Data & AI Authority)
Penalty: Up to SAR 5,000,000 per violation
Control Matrix
| Control ID | Control | Implementation | Status |
|---|---|---|---|
| PDPL-C01 | Consent before outbound messaging | pdpl/consent_manager.py — check before every send |
Live |
| PDPL-C02 | Consent purpose and channel tracking | Consent model — channel, source, opted_in_at |
Live |
| PDPL-C03 | Auto-expire consent (12 months) | consent_manager.py — expiry check |
Live |
| PDPL-C04 | Data subject access rights | pdpl/data_rights.py — export personal data |
Live |
| PDPL-C05 | Data subject correction rights | pdpl/data_rights.py — update records |
Live |
| PDPL-C06 | Data subject deletion rights | pdpl/data_rights.py — soft delete + anonymize |
Live |
| PDPL-C07 | Data subject restriction rights | pdpl/data_rights.py — restrict processing |
Live |
| PDPL-C08 | Breach notification procedures | Documented in memory/security/pdpl-checklist.md |
Documented |
| PDPL-C09 | Cross-border transfer controls | Approval required for data leaving KSA | Documented |
| PDPL-C10 | Consent audit trail (immutable) | PDPLConsentAudit model — tracks all changes |
Live |
| PDPL-C11 | Data minimization in logs | StructLog context scoping, no PII in logs | Live |
| PDPL-C12 | Encryption at rest | PostgreSQL TDE + application-level for PII | Planned |
| PDPL-C13 | Encryption in transit | TLS 1.3 for all connections | Live |
| PDPL-C14 | Privacy policy (Arabic) | docs/legal/privacy-policy-ar.md |
Live |
| PDPL-C15 | Data protection policy (Arabic) | docs/legal/data-protection-ar.md |
Live |
| PDPL-C16 | Cookie consent | components/dealix/cookie-consent.tsx |
Live |
2. ZATCA — E-Invoicing
Authority: Zakat, Tax and Customs Authority
Requirement: Phase 2 — Standard & Simplified E-Invoices
Control Matrix
| Control ID | Control | Implementation | Status |
|---|---|---|---|
| ZATCA-C01 | VAT calculation (15%) | zatca_compliance.py — 15% rate |
Live |
| ZATCA-C02 | Invoice format (XML/PDF-A3) | zatca_compliance.py — standard format |
Live |
| ZATCA-C03 | Seller VAT/CR number validation | zatca_compliance.py — field validation |
Live |
| ZATCA-C04 | SAR currency formatting | System-wide DEFAULT_CURRENCY=SAR |
Live |
| ZATCA-C05 | Invoice UUID generation | UUID v4 per invoice | Live |
| ZATCA-C06 | QR code on simplified invoices | Planned | Planned |
| ZATCA-C07 | Integration with ZATCA sandbox | Planned | Planned |
| ZATCA-C08 | Credit/debit note support | Planned | Planned |
3. SDAIA — AI Governance
Authority: Saudi Data & AI Authority
Framework: National AI Strategy + AI Ethics Principles
Control Matrix
| Control ID | Control | Implementation | Status |
|---|---|---|---|
| SDAIA-C01 | AI decision explainability | Agent outputs include reasoning in ai_conversations |
Live |
| SDAIA-C02 | Human-in-the-loop for high-risk decisions | Class B actions require approval_token | Live |
| SDAIA-C03 | Bias monitoring for Arabic NLP | Arabic NLP includes dialect detection | Partial |
| SDAIA-C04 | AI model documentation | Agent Map (docs/AGENT-MAP.md) documents all agents |
Live |
| SDAIA-C05 | AI governance registration | Not yet registered | Planned |
| SDAIA-C06 | Responsible AI usage policy | Documented in AGENTS.md policy classes | Live |
| SDAIA-C07 | AI output quality monitoring | conversation_qa_reviewer agent |
Live |
| SDAIA-C08 | Model performance tracking | observability.py tracks latency/errors |
Live |
4. NCA — National Cybersecurity Authority
Authority: NCA
Framework: Essential Cybersecurity Controls (ECC)
Control Matrix
| Control ID | Control | Implementation | Status |
|---|---|---|---|
| NCA-C01 | Access control (RBAC) | JWT + role-based middleware | Live |
| NCA-C02 | Multi-tenant isolation | tenant_id scoping at ORM layer |
Live |
| NCA-C03 | Authentication (MFA) | JWT auth live, MFA planned | Partial |
| NCA-C04 | Audit logging | audit_log.py — all state changes |
Live |
| NCA-C05 | Incident response procedure | Documented in runbooks | Documented |
| NCA-C06 | Data residency (KSA) | Deployment target: Saudi data centers | Planned |
| NCA-C07 | Vulnerability management | shannon_security.py scanning |
Live |
| NCA-C08 | Secure development lifecycle | CI/CD with tests, security checks | Live |
| NCA-C09 | Secrets management | Environment variables, never in code | Live |
| NCA-C10 | Network segmentation | Docker network isolation | Live |
5. Sector-Specific Regulations
Real Estate
| Control | Status |
|---|---|
| Brokerage license verification | Planned |
| REGA (Real Estate General Authority) compliance | Planned |
| Commission disclosure requirements | Live (commission models) |
Healthcare
| Control | Status |
|---|---|
| Patient data classification | Planned |
| MOH (Ministry of Health) data standards | Planned |
| Telemedicine regulations | Not applicable |
Financial Services
| Control | Status |
|---|---|
| SAMA (Saudi Central Bank) reporting | Planned |
| AML/KYC integration | Planned |
| Payment card data (PCI-DSS posture) | Stripe handles (plugin) |
6. Data Residency & Transfer
| Requirement | Implementation | Status |
|---|---|---|
| Data stored in KSA | Target: Saudi cloud region | Planned |
| Cross-border transfer approval | Approval gate (Class B) | Designed |
| Data classification labels | Not implemented | Planned |
| Retention policies | Consent: 12 months auto-expire | Live (consent) |
| Right to erasure fulfillment | pdpl/data_rights.py |
Live |
7. Arabic-First Compliance
All compliance-related content must be available in Arabic:
| Content | Arabic Version | Status |
|---|---|---|
| Privacy Policy | docs/legal/privacy-policy-ar.md |
Live |
| Data Protection | docs/legal/data-protection-ar.md |
Live |
| Consent Policy | docs/legal/consent-policy-ar.md |
Live |
| Terms of Service | docs/legal/terms-of-service-ar.md |
Live |
| Affiliate Rules | docs/legal/affiliate-rules-ar.md |
Live |
| Commission Policy | docs/legal/commission-policy-ar.md |
Live |
| Refund Policy | docs/legal/refund-policy-ar.md |
Live |
| Compliance Dashboard | Frontend component | Building |
8. Live Compliance Matrix API
The Saudi Compliance Matrix is a live, queryable control system (not a static checklist).
API Endpoints:
GET /api/v1/compliance/matrix— All controls with statusPOST /api/v1/compliance/matrix/scan— Run all live checksGET /api/v1/compliance/matrix/{control_id}— Control detailGET /api/v1/compliance/risk-heatmap— Category × severity matrix
Live Checks:
- PDPL consent coverage rate
- ZATCA invoice compliance rate
- Audit trail completeness
- Approval SLA compliance
- Secrets exposure scan
- Cross-tenant isolation test
Implementation: services/saudi_compliance_matrix.py, models/compliance_control.py