mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-17 23:09:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
33af10127d
system-prompts-and-models-o.../salesflow-saas/docs/governance/saudi-enterprise-readiness.md
Claude e11253ab12
feat(dealix): Tier-1 closure program — 10 tracks complete 
Track 1 — Truth Lock:
  docs/current-vs-target-register.md: Full subsystem maturity register
  (73 Production, 27 Partial, 2 Pilot, 32 Target, 6 Watch = 52.1% maturity)

Track 2 — Document Consistency:
  docs/governance/document-consistency-audit.md: All 6 checks PASS
  (no dangling refs, no overclaim, all paths root-safe, naming consistent)

Track 3 — Decision Plane:
  backend/app/schemas/structured_outputs.py: 17 Pydantic schemas with Provenance
  (LeadScoreCard, QualificationMemo, ProposalPack, PricingDecisionRecord,
   PartnerDossier, EconomicsModel, ApprovalPacket, TargetProfile, DDPlan,
   ValuationMemo, SynergyModel, ICMemo, BoardPackDraft, ExpansionPlan,
   StopLossPolicy, PMIProgramPlan, ExecWeeklyPack)

Track 4 — Execution Plane:
  docs/governance/workflow-inventory.md: 8 short + 8 medium + 6 long-lived
  workflows classified. 3 Temporal candidates with compensation logic.

Track 5 — Trust Fabric:
  docs/governance/trust-closure-plan.md: 5 live components + Watch adoption
  criteria for OPA/OpenFGA/Vault/Keycloak

Track 6 — Data & Connectors:
  docs/governance/connector-standard.md: Connector facade contract, semantic
  metrics dictionary, radar additions (Airbyte, Unstructured, Great Expectations)

Track 7 — Operating Plane:
  docs/governance/operating-plane-checklist.md: GitHub governance, CI/CD
  enhancements, CODEOWNERS template, OIDC/attestation roadmap

Track 8 — Saudi/GCC:
  docs/governance/saudi-enterprise-readiness.md: PDPL processing register,
  data classification, NCA ECC readiness, OWASP LLM Top 10, NIST AI RMF

Track 9 — Executive Surfaces:
  docs/governance/executive-surface-closure.md: Wiring plan with real data
  queries for Executive Room, Approval Center, Compliance Dashboard

Track 10 — Market Dominance:
  docs/governance/market-dominance-plan.md: 3-tier packaging (Core/Strategic/
  Sovereign), ROI narrative, competitive wedge, capability moat map,
  executive sales stories (CEO/CTO/CFO/CISO)

Master Checklist: docs/tier1-master-closure-checklist.md
  50 items total — 25 Done (documentation), 25 Target (runtime/integration)

https://claude.ai/code/session_01W1rJthWDkasijTdXCfxVHs
2026-04-16 13:08:26 +00:00

140 lines
6.4 KiB
Markdown
Raw Blame History

# Saudi/GCC Enterprise Readiness — Track 8
> **Parent**: [`saudi-compliance-and-ai-governance.md`](saudi-compliance-and-ai-governance.md)
> **Plane**: Trust | **Tracks**: Compliance, Trust
> **Version**: 1.0
---
## Objective
Transform compliance documentation into live, auditable controls that can be demonstrated to enterprise buyers and regulators.
---
## PDPL Operationalization
### Data Classification Scheme
| Classification | Definition | Examples | Handling |
|---------------|-----------|----------|---------|
| **Public** | Published information | Marketing content, public pages | No restrictions |
| **Internal** | Business operations | Analytics, reports, pipeline data | Tenant isolation |
| **Confidential** | Sensitive business data | Deal values, proposals, financials | Encryption + access control |
| **Restricted** | Regulated personal data | PII, consent records, health data | PDPL controls + audit + encryption |
### Processing Register (PDPL Article 29)
| Processing Activity | Data Categories | Legal Basis | Retention | Cross-border |
|---------------------|----------------|-------------|-----------|-------------|
| Lead capture | Name, phone, email, company | Legitimate interest + consent | Until deletion request | No |
| WhatsApp messaging | Phone, message content | Explicit consent | 24 months | Meta servers (US) — transfer control needed |
| Email outreach | Email, name | Explicit consent | 24 months | SendGrid (US) — transfer control needed |
| AI analysis | All lead data | Legitimate interest | With lead record | LLM provider APIs — anonymization recommended |
| Payment processing | Card data (tokenized) | Contract | Per Stripe retention | Stripe (US) — PCI-DSS handles |
| Affiliate tracking | Name, phone, bank details | Contract | Employment + 5 years | No |
| Analytics | Aggregated metrics | Legitimate interest | Indefinite (anonymized) | No |
### Data Residency Controls
| Data Type | Current Location | Target Location | Control |
|-----------|-----------------|-----------------|---------|
| Database (PostgreSQL) | Cloud provider | Saudi region | P1 — migrate to Saudi DC |
| Redis cache | Cloud provider | Saudi region | P1 — co-locate with DB |
| File storage | Cloud provider | Saudi region | P1 — Saudi S3-compatible |
| LLM API calls | US/Global | Evaluate Saudi-hosted | P2 — evaluate Groq/local options |
| WhatsApp messages | Meta servers | N/A (Meta infrastructure) | Transfer impact assessment |
| Email | SendGrid servers | N/A | Transfer impact assessment |
---
## NCA ECC Readiness
### Essential Cybersecurity Controls (ECC-1:2018 + 2024 update)
| Domain | Control Area | Dealix Status | Evidence |
|--------|-------------|---------------|----------|
| **Governance** | Cybersecurity policy | Partial | SECURITY.md + policy.py |
| **Governance** | Roles & responsibilities | Partial | CODEOWNERS (target) |
| **Defense** | Access control | Production | JWT + RBAC + tenant isolation |
| **Defense** | Cryptography | Partial | TLS in transit; at-rest TDE target |
| **Defense** | Network security | Partial | Docker network isolation |
| **Defense** | Application security | Production | Input validation, SAST (target) |
| **Resilience** | Incident management | Documented | Runbooks exist |
| **Resilience** | Business continuity | Target | DR plan needed |
| **Resilience** | Backup & recovery | Target | Automated backup needed |
| **Third Party** | Vendor management | Partial | Connector governance (new) |
| **Third Party** | Cloud security | Target | Cloud security posture |
---
## AI Governance Controls
### OWASP LLM Top 10 Checklist
| Risk | Control | Status |
|------|---------|--------|
| LLM01: Prompt Injection | Input sanitization + system prompt isolation | Partial |
| LLM02: Insecure Output | Output validation via Pydantic schemas | Production |
| LLM03: Training Data Poisoning | Not applicable (using external APIs) | N/A |
| LLM04: Model DoS | Rate limiting (`slowapi`) + timeout | Production |
| LLM05: Supply Chain | Model router with verified providers only | Production |
| LLM06: Sensitive Info Disclosure | No PII in prompts policy + audit | Partial |
| LLM07: Insecure Plugin Design | OpenClaw plugin contract + policy gate | Production |
| LLM08: Excessive Agency | Class B/C policy enforcement | Production |
| LLM09: Overreliance | HITL for all Class B actions | Production |
| LLM10: Model Theft | API keys in env vars, not in code | Production |
### NIST AI RMF Alignment
| Function | Activity | Dealix Implementation |
|----------|----------|----------------------|
| GOVERN | AI governance policies | MASTER_OPERATING_PROMPT.md + policy.py |
| MAP | AI use case inventory | AGENT-MAP.md (19 agents) |
| MEASURE | Performance monitoring | observability.py + model_routing_dashboard |
| MANAGE | Risk mitigation | Trust Plane + contradiction engine |
---
## Arabic-First End-to-End Path
### Target: WhatsApp Lead → Deal Close (Arabic)
```
1. WhatsApp message received (Arabic) → arabic_nlp.py detects Saudi dialect
2. Lead created with Arabic name/company → lead_service.py
3. AI qualification in Arabic → lead-qualification-agent.md
4. LeadScoreCard generated (Arabic reasoning) → structured_outputs.py
5. Approval to outreach (Class B) → approval_bridge.py
6. Arabic WhatsApp response → arabic-whatsapp-agent.md
7. Meeting booked (Arabic confirmation) → meeting_service.py
8. Proposal generated (Arabic) → proposal-drafting-agent.md
9. Contract sent for signature → esign_service.py
10. Evidence pack assembled → evidence_pack_service.py
11. Executive dashboard shows deal (Arabic) → executive-room.tsx
```
### Arabic Content Coverage
| Component | Arabic Support | Status |
|-----------|---------------|--------|
| Frontend UI labels | Full i18n (`ar.json`) | Production |
| Legal documents | 7 Arabic legal docs | Production |
| Agent prompts | Arabic WhatsApp agent | Production |
| Error messages | Partial | Target |
| Email templates | Arabic templates | Production |
| PDF reports | WeasyPrint RTL | Production |
| Compliance dashboard | Arabic control names | Production |
---
## Gate: Saudi/GCC Enterprise Readiness
- [ ] Arabic-first path works end-to-end for one flow
- [ ] PDPL processing register documented and live
- [ ] Data classification applied to at least one data flow
- [ ] NCA ECC gap analysis completed with remediation plan
- [ ] AI governance checklist included in release review process
- [ ] OWASP LLM Top 10 controls verified
- [ ] Saudi Compliance Dashboard shows real control data
Reference in New Issue View Git Blame Copy Permalink