Skip to content

v0.4 - Compliance grounding over MCP

Choose a tag to compare

View all tags
@vivianjeet vivianjeet released this 06 Jun 12:47
· 52 commits to main since this release
v0.4
f776c69
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This release makes the agent ground its findings in real regulations, and
ships the memory, context, and reliability work that backs a production audit.

Highlights

Compliance grounding over MCP

The agent now speaks the Model Context Protocol on both ends. A new compliance
stage triages whether a diff is regulated and pulls the matching regulatory
passages, so a security finding cites the exact clause it breaks - for example,
a SQL-injection diff is grounded in the RBI Cyber Security Framework and
OWASP A03.

  • MCP client - the compliance node calls search_compliance_docs over
    stdio (retrieve -> compliance -> plan).
  • MCP server - compliance-rag (FastMCP) exposes the same retrieval as a
    reusable tool any MCP client can call, from Claude Desktop to a raw-SDK
    client, with no glue.
  • Pluggable framework packs - RBI, HIPAA, PCI-DSS, OWASP, and GDPR ship by
    default. Adding a framework is dropping a packs/*.yaml file and re-running
    the seeder; no code change.
  • Fails soft - a missing server or an unregulated diff yields empty context
    and a visible trace line, never a crash and never a silent "clean".

Memory, context, and orchestration

  • Four-type agent memory (semantic, episodic, procedural, in-context) with a
    typed procedural-rule lifecycle and a governance CLI.
  • Priority-ordered context budgeting and an in-graph history-compression node
    for long sessions.
  • The three audits run concurrently, with thread-safe API-key rotation under
    the fan-out.
  • Pluggable checkpointer: in-memory by default, opt-in durable SQLite.

Reliability

  • A depleted-credits 429 is classified as terminal billing rather than a
    transient rate limit, so it rotates keys instead of burning retries.
  • Corpus seeding is batched to stay under the embedding per-minute quota.
  • MCP tool output is normalized back to structured records on the client.

Verification

  • 163 tests passing (pytest -m "not integration").
  • Live end-to-end: a regulated diff produces cross-framework citations; an
    unregulated diff short-circuits with no lookup.

Full changelog: v0.3...v0.4

Assets 2
Loading