mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-17 23:09:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
33af10127d
system-prompts-and-models-o.../salesflow-saas/docs/governance/saudi-compliance-and-ai-governance.md
Claude a319feb6d7
feat(dealix): complete Tier-1 Sovereign Enterprise Growth OS 
Governance layer (14 docs):
- MASTER_OPERATING_PROMPT.md — operating constitution (five planes, six tracks, policy classes)
- docs/ai-operating-model.md — five-plane architecture (Decision/Execution/Trust/Data/Operating)
- docs/dealix-six-tracks.md — six strategic tracks (Revenue/Intelligence/Compliance/Expansion/Operations/Trust)
- docs/governance/execution-fabric.md — OpenClaw execution plane deep dive
- docs/governance/trust-fabric.md — trust plane with contradiction engine + evidence packs
- docs/governance/saudi-compliance-and-ai-governance.md — PDPL/ZATCA/SDAIA/NCA live controls
- docs/governance/technology-radar-tier1.md — Core/Strong/Pilot/Watch/Hold classification
- docs/governance/partnership-os.md — alliance lifecycle management
- docs/governance/ma-os.md — M&A corporate development lifecycle
- docs/governance/expansion-os.md — geographic and vertical growth
- docs/governance/pmi-os.md — post-merger integration framework
- docs/governance/executive-board-os.md — executive decision surfaces
- docs/execution-matrix-90d-tier1.md — 90-day sprint execution plan
- docs/adr/0001-tier1-execution-policy-spikes.md — 8 architectural decisions

Backend (3 models, 6 services, 8 API routes):
- Contradiction Engine — detect/track system conflicts
- Evidence Pack System — tamper-evident audit proof with SHA256
- Saudi Compliance Matrix — live PDPL/ZATCA/SDAIA/NCA controls
- Executive Room — unified executive decision surface
- Connector Governance — integration health monitoring
- Model Routing Dashboard — LLM provider metrics
- Forecast Control Center — actual vs forecast across tracks
- Approval Center — enhanced approval queue with SLA

Frontend (9 components):
- Executive Room, Evidence Pack Viewer, Approval Center
- Connector Governance Board, Saudi Compliance Dashboard
- Actual vs Forecast Dashboard, Risk Heatmap
- Policy Violations Board, Partner Pipeline Board

Tooling:
- scripts/architecture_brief.py — preflight validation (40/40 checks pass)
- Updated CLAUDE.md and AGENTS.md with governance references

https://claude.ai/code/session_01W1rJthWDkasijTdXCfxVHs
2026-04-16 12:48:13 +00:00

178 lines
7.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Saudi Compliance & AI Governance
> **Parent**: [`MASTER_OPERATING_PROMPT.md`](../../MASTER_OPERATING_PROMPT.md)
> **Plane**: Trust | **Tracks**: Compliance, Trust
> **Version**: 1.0 | **Status**: Canonical
---
## Overview
Dealix operates as a Saudi-first platform. Compliance is not optional or aspirational — it is enforced at the system level. This document defines the regulatory landscape and how each regulation maps to live controls.
---
## 1. PDPL — Personal Data Protection Law
**Authority**: SDAIA (Saudi Data & AI Authority)
**Penalty**: Up to SAR 5,000,000 per violation
### Control Matrix
| Control ID | Control | Implementation | Status |
|-----------|---------|----------------|--------|
| PDPL-C01 | Consent before outbound messaging | `pdpl/consent_manager.py` — check before every send | Live |
| PDPL-C02 | Consent purpose and channel tracking | `Consent` model — channel, source, opted_in_at | Live |
| PDPL-C03 | Auto-expire consent (12 months) | `consent_manager.py` — expiry check | Live |
| PDPL-C04 | Data subject access rights | `pdpl/data_rights.py` — export personal data | Live |
| PDPL-C05 | Data subject correction rights | `pdpl/data_rights.py` — update records | Live |
| PDPL-C06 | Data subject deletion rights | `pdpl/data_rights.py` — soft delete + anonymize | Live |
| PDPL-C07 | Data subject restriction rights | `pdpl/data_rights.py` — restrict processing | Live |
| PDPL-C08 | Breach notification procedures | Documented in `memory/security/pdpl-checklist.md` | Documented |
| PDPL-C09 | Cross-border transfer controls | Approval required for data leaving KSA | Documented |
| PDPL-C10 | Consent audit trail (immutable) | `PDPLConsentAudit` model — tracks all changes | Live |
| PDPL-C11 | Data minimization in logs | StructLog context scoping, no PII in logs | Live |
| PDPL-C12 | Encryption at rest | PostgreSQL TDE + application-level for PII | Planned |
| PDPL-C13 | Encryption in transit | TLS 1.3 for all connections | Live |
| PDPL-C14 | Privacy policy (Arabic) | `docs/legal/privacy-policy-ar.md` | Live |
| PDPL-C15 | Data protection policy (Arabic) | `docs/legal/data-protection-ar.md` | Live |
| PDPL-C16 | Cookie consent | `components/dealix/cookie-consent.tsx` | Live |
---
## 2. ZATCA — E-Invoicing
**Authority**: Zakat, Tax and Customs Authority
**Requirement**: Phase 2 — Standard & Simplified E-Invoices
### Control Matrix
| Control ID | Control | Implementation | Status |
|-----------|---------|----------------|--------|
| ZATCA-C01 | VAT calculation (15%) | `zatca_compliance.py` — 15% rate | Live |
| ZATCA-C02 | Invoice format (XML/PDF-A3) | `zatca_compliance.py` — standard format | Live |
| ZATCA-C03 | Seller VAT/CR number validation | `zatca_compliance.py` — field validation | Live |
| ZATCA-C04 | SAR currency formatting | System-wide `DEFAULT_CURRENCY=SAR` | Live |
| ZATCA-C05 | Invoice UUID generation | UUID v4 per invoice | Live |
| ZATCA-C06 | QR code on simplified invoices | Planned | Planned |
| ZATCA-C07 | Integration with ZATCA sandbox | Planned | Planned |
| ZATCA-C08 | Credit/debit note support | Planned | Planned |
---
## 3. SDAIA — AI Governance
**Authority**: Saudi Data & AI Authority
**Framework**: National AI Strategy + AI Ethics Principles
### Control Matrix
| Control ID | Control | Implementation | Status |
|-----------|---------|----------------|--------|
| SDAIA-C01 | AI decision explainability | Agent outputs include reasoning in `ai_conversations` | Live |
| SDAIA-C02 | Human-in-the-loop for high-risk decisions | Class B actions require approval_token | Live |
| SDAIA-C03 | Bias monitoring for Arabic NLP | Arabic NLP includes dialect detection | Partial |
| SDAIA-C04 | AI model documentation | Agent Map (`docs/AGENT-MAP.md`) documents all agents | Live |
| SDAIA-C05 | AI governance registration | Not yet registered | Planned |
| SDAIA-C06 | Responsible AI usage policy | Documented in AGENTS.md policy classes | Live |
| SDAIA-C07 | AI output quality monitoring | `conversation_qa_reviewer` agent | Live |
| SDAIA-C08 | Model performance tracking | `observability.py` tracks latency/errors | Live |
---
## 4. NCA — National Cybersecurity Authority
**Authority**: NCA
**Framework**: Essential Cybersecurity Controls (ECC)
### Control Matrix
| Control ID | Control | Implementation | Status |
|-----------|---------|----------------|--------|
| NCA-C01 | Access control (RBAC) | JWT + role-based middleware | Live |
| NCA-C02 | Multi-tenant isolation | `tenant_id` scoping at ORM layer | Live |
| NCA-C03 | Authentication (MFA) | JWT auth live, MFA planned | Partial |
| NCA-C04 | Audit logging | `audit_log.py` — all state changes | Live |
| NCA-C05 | Incident response procedure | Documented in runbooks | Documented |
| NCA-C06 | Data residency (KSA) | Deployment target: Saudi data centers | Planned |
| NCA-C07 | Vulnerability management | `shannon_security.py` scanning | Live |
| NCA-C08 | Secure development lifecycle | CI/CD with tests, security checks | Live |
| NCA-C09 | Secrets management | Environment variables, never in code | Live |
| NCA-C10 | Network segmentation | Docker network isolation | Live |
---
## 5. Sector-Specific Regulations
### Real Estate
| Control | Status |
|---------|--------|
| Brokerage license verification | Planned |
| REGA (Real Estate General Authority) compliance | Planned |
| Commission disclosure requirements | Live (commission models) |
### Healthcare
| Control | Status |
|---------|--------|
| Patient data classification | Planned |
| MOH (Ministry of Health) data standards | Planned |
| Telemedicine regulations | Not applicable |
### Financial Services
| Control | Status |
|---------|--------|
| SAMA (Saudi Central Bank) reporting | Planned |
| AML/KYC integration | Planned |
| Payment card data (PCI-DSS posture) | Stripe handles (plugin) |
---
## 6. Data Residency & Transfer
| Requirement | Implementation | Status |
|------------|----------------|--------|
| Data stored in KSA | Target: Saudi cloud region | Planned |
| Cross-border transfer approval | Approval gate (Class B) | Designed |
| Data classification labels | Not implemented | Planned |
| Retention policies | Consent: 12 months auto-expire | Live (consent) |
| Right to erasure fulfillment | `pdpl/data_rights.py` | Live |
---
## 7. Arabic-First Compliance
All compliance-related content must be available in Arabic:
| Content | Arabic Version | Status |
|---------|---------------|--------|
| Privacy Policy | `docs/legal/privacy-policy-ar.md` | Live |
| Data Protection | `docs/legal/data-protection-ar.md` | Live |
| Consent Policy | `docs/legal/consent-policy-ar.md` | Live |
| Terms of Service | `docs/legal/terms-of-service-ar.md` | Live |
| Affiliate Rules | `docs/legal/affiliate-rules-ar.md` | Live |
| Commission Policy | `docs/legal/commission-policy-ar.md` | Live |
| Refund Policy | `docs/legal/refund-policy-ar.md` | Live |
| Compliance Dashboard | Frontend component | Building |
---
## 8. Live Compliance Matrix API
The Saudi Compliance Matrix is a live, queryable control system (not a static checklist).
**API Endpoints**:
- `GET /api/v1/compliance/matrix` — All controls with status
- `POST /api/v1/compliance/matrix/scan` — Run all live checks
- `GET /api/v1/compliance/matrix/{control_id}` — Control detail
- `GET /api/v1/compliance/risk-heatmap` — Category × severity matrix
**Live Checks**:
- PDPL consent coverage rate
- ZATCA invoice compliance rate
- Audit trail completeness
- Approval SLA compliance
- Secrets exposure scan
- Cross-tenant isolation test
Implementation: `services/saudi_compliance_matrix.py`, `models/compliance_control.py`
Reference in New Issue View Git Blame Copy Permalink